STE WILLIAMS

YouTube has launched a feature that blurs faces in videos uploaded to the site.

In a blog post introducing the feature, the Google unit offers two use cases for the tool:

“Whether you want to share sensitive protest footage without exposing the faces of the activists involved, or share the winning point in your 8-year-old’s basketball game without broadcasting the children’s faces to the world …”

The first is an obvious application. The second is a sad necessity in the modern world: here in Australia cyber-safety advice suggests never letting your kids be photographed in a uniform of any sort (parents have also been banned from photographing junior surf lifesaving events after horridly deranged individuals thought it would be fun to snap kids in their swimming costumes).

“YouTube is proud to be a destination where people worldwide come to share their stories, including activists,” writes the site’s policy associate Amanda Conway. “We hope that the new technologies we’re rolling out will facilitate the sharing of even more stories on our platform.”

Comway also confesses that the blurring is not perfect and that some faces may remain visible due to various factors. Another glitch is that the new tool creates a blurry copy of a video: users will need to delete the pristine version in order to protect privacy, ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/19/youtube_blurs_faces/

Not for profit rights group Fight for the Future will on Thursday launch the Internet Defense League, a new initiative designed to help internet stakeholders fight back whenever their rights are threatened by the man.

The League will launch tonight in San Francisco, Washington DC, New York, London and, bizarrely, Ulaanbaatar, Mongolia, by shining its trademark cat logo into the sky.

Fight for the Future’s hope is that the League will spring Batman-like into action whenever internet rights are threatened, as the following blurb on its web site explains:

The Internet Defense League takes the tactic that killed SOPA PIPA and turns it into a permanent force for defending the internet, and making it better. Think of it like the internet’s Emergency Broadcast System, or its bat signal!

When the internet’s in danger and we need millions of people to act, the League will ask its members to broadcast an action. (Say, a prominent message asking everyone to call their elected leaders). With the combined reach of our websites and social networks, we can be massively more effective than any one organisation.

The success or failure of such a plan, of course, will depend on the reach of its members, but the group seems to have done pretty well to get the likes of Mozilla, WordPress, Reddit, the Cheezburger Network and a host of online rights groups signed up already.

Given the propensity for governments over the past year or two, especially in Asia, to tighten their grip on web freedoms, it’s probably not going to be long before we see what the League can do, and how many of those signed up actually decide to participate actively.

However, as we have seen recently in China, Thailand, Pakistan and elsewhere, what governments tend to do is espouse a slow, insidious creeping towards greater censorship and control rather than one specific SOPA-like cause which the masses can rally against.

So far the group is concentrated almost exclusively in the West. It will have to engage a lot more with internet stakeholders in Asia if it’s truly going to make a difference. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/19/internet_defense_league_launch/

Spam emails have attempted to trick Facebookers into visiting virus-stuffed web pages by claiming users have been tagged in photos.

The counterfeit messages appear to have been sent by the dominant social networking website, but the “From” address is misspelled as “Faceboook.com” among other mistakes. The emails feature clickable links to a website hosting malicious code, including the infamous Blackhole kit, which tries to gain control of users’ systems when visited.

The hacker-controlled website is essentially a malware minefield that attempts to exploit web browser vulnerabilities and security flaws in Adobe applications and Java engines to push malware onto Microsoft Windows PCs.

Seconds after visiting the dodgy website – more than enough time for infection to occur – users are automatically transferred to the legitimate Facebook site, net security firm Sophos reports. This redirection is designed to minimise the possibility that victims will realise they’ve been attacked.

Sophos has added detection of the malware as Troj-JSRedir-HW. More details of the attack – including screenshots of the offending emails – can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/19/facebook_photo_tag_malware_ruse/

A new Cyber Security Challenge UK competition aimed at finding people to protect the country against future Stuxnet-style attacks was launched on Wednesday.

Previous Cyber Security Challenge competitions focused on crypto-cracking, penetration testing and malware forensics – but this is the first competition in the challenge that will test devs’ wits on software security. The two-year-old public- and private-funded programme is now looking for software and application developers with the security know-how to keep business and critical national infrastructure safe from the latest online attacks. Defence contractor QinetiQ and training body (ISC)² have teamed up to devise the challenge.

Why devs?

Software applications are increasingly being developed for very open, highly distributed environments, often involving elements of outsourcing and many suppliers. Traditionally, developers operate under tight deadlines to introduce new functionality and security has been a secondary concern. Competition sponsor (ISC)² said it had identified software vulnerability as the number one online threat in its survey of information security professionals. It said that the majority (73 per cent) of respondents had fingered it as the main problem.

The challenge aims to test the competitors’ knowledge of security requirements, as well as their “instincts” for anticipating and resolving security vulnerabilities as they develop their own software. The best candidates will then be invited to QinetiQ at the start of next year for a “hands-on experience of writing secure code to move physical devices” and and exercise in protecting a “top secret facility from real life cyber-attacks”.

John Colley, managing director of (ISC)² EMEA, explained: “Security instincts will be just as important as technical skills, as candidates prove they can effectively research and anticipate requirements for security at the same rapid rate at which software is developing.

“Those with the right instincts have a significant opportunity to demonstrate new skills that are incredibly relevant today. We hope this competition will attract, identify and nurture new talented individuals to work in this field,” he added.

How it works

The initial phase of the competition will involve an online exercise challenging competitors to write their own secure code. Between 15 and 30 of the best candidates will then progress to the face-to-face phase of the competition, next February. All participants at this stage will be awarded an training module, with the overall winner receiving a special prize. Winners from this event will then be invited to attend the Masterclass Final and awards weekend next March.

“Cyber criminals are increasingly developing the capabilities to manipulate the software used to control key security systems,” says Neil Cassidy, practice lead in cyber defence at QinetiQ. “Attacks like Stuxnet highlight the fundamental impact which these attacks can have on national infrastructure, from power stations to military installations.

“At QinetiQ’s face-to-face stage of this competition, competitors will be responsible for securing the systems protecting a simulated top-secret facility. They must identify vulnerabilities in command software systems and work to anticipate security breaches to avoid attack. Through this Challenge we aim to provide the software developers of the future with experience of what it takes to secure software systems and the impact any failures can have.”

The competition is open to software developers and students, with entry via a registration page here. Those already working in information security are not eligible.

Upcoming competitions in the ongoing security challenge scheme will include a packet-capture analysis competition, run by the SANS Institute, that will involve the analysis of network and web application attacks, as well as a linked-based competition, to be run by Sophos. The Cyber Security Challenge UK is now in its third year. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/18/cyber_security_challenge/

Taiwan has launched a five day computer-aided war simulation exercise designed to test the country’s army, navy and air force against an attack from near neighbour China.

The virtual war games will see how well Taiwan’s armed forces cope with ballistic and cruise missile attacks as well as intrusions from drone-like unmanned aerial vehicles, according to the Taipei Times.

The simulation has been set-up to include military equipment and vehicles not yet delivered to the Taiwanese forces including the antisubmarine P-3C “Orion” maritime patrol aircraft, and AH-64D Longbow attack helicopters, the report said.

Taiwan has apparently bought 12 refurbished P-3C aircraft and 30 of the choppers from the US to boost its military against the might of the People’s Liberation Army.

The war games are also believed to feature information warfare scenarios, given that China is suspected of developing advanced capabilities in this area to disrupt and control its opponents before a shot has been fired.

The exercise is the second stage of Taiwan’s ‘Han Kuang 28’ series of drills, following similar exercises back in April.

Relations are improving between Taiwan and mainland China, helped in no small part by the hugely lucrative trade ties between the two, especially in the technology industry.

Taiwanese ODMs including Compal, Wistron and Foxconn – which between them produce most of the world’s PCs – all have significant manufacturing bases in China.

However, there is still niggle between the two and many in the Chinese Communist Party would like to see Taiwan forced officially under the rule of the People’s Republic.

Given the continued cross-Strait tensions, it’s not surprising that state-sponsored cyber espionage is believed to be widespread. Most recently, China was blamed after a laptop went missing from a Taiwanese navy missile boat. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/18/taiwan_war_game_china_subs/

The CEO of beleaguered security company G4S blamed his “scheduling system” as he explained his company’s failure to adequately secure the Olympics. Facing MPs on the Home Affairs Select Committee yesterday, Nick Buckles said that the company took 100 per cent of the responsibility for the cock-up that has led to 3400 squaddies and an as yet unspecified number of police being pulled in to provide basic security cover for the Olympic Games.

Though the screw-up seems to stem from a miasma of problems at G4S starting with a badly-planned contract (Buckles says he regrets signing it), poor treatment of staff (not informed about shifts and not paid for training) and poor management all the way through the organisation, it was the scheduling software that really kickstarted the problems, said Buckles.

The beleagured biz kingpin pinned the blame on “problems with scheduling exacerbated by people not turning up for shifts.”

Buckles said that he only found out about the crisis on the 3rd July:

I was phoned up on holiday and told that we’ve had problems with a shortfall on the contract and secondly that’s partly due to the fact that our scheduling system hasn’t effectively worked to roster the staff.

We did not know until very late that we would not be able to get 10,000 people on the ground … purely because the whole process is very back ended … It’s only when you get to the end that you know where everyone is in that pipeline.

Details of that pesky software in full

Testifying next to his CEO, Ian Horseman-Sewell, Global Events Specialist, G4S explained the troublesome rostering software in greater detail:

Our scheduling system matches the demand given by our clients in fine detail – down to two people here, three people there – to our database of people who are deployable depending on their qualifications.

Then the scheduling process allocates shifts to them. People then have the option to accept that work, typically online.

Horseman-Sewell said that there were currently 5500 fully qualified people are on that database and that approximately 70% of them accepted the work when offered it. He said however that they hoped to be able to deploy 7000 over the course of the Games. In total 100,000 people applied for the jobs which have been advertised since the beginning of 2012.

The real-time nature of the platform seems to mean that G4S finds it hard to plan more than a day in advance, and is currently able to inform the police how much help they need only on the day. By the start of the Olympics Buckle said, G4S hope to know 3-5 days in advance who will be turning up for what shifts.

200 security guards? We thought you meant 38

In an example of just how this set-up is going wrong police were called in to help with a cycling event at Boxhill today. Some 200 security staff were apparently required to adequately monitor the event. The G4S rostering software had scheduled in 38 of whom 17 turned up. As a result 170 local police officers were drafted in.

Buckles failed to provide assurances that the rest of the Games would go smoothly, and besides saying that there was a serious shortfall in qualified staff, he didn’t give an account of exactly why the numbers in the software were so wrong.

He said: “Our focus now is to deliver the contract, with hindsight we’ll find out what went wrong”.

I regret signing that contract

Buckles did say that he regretted signing the contract with the Olympic Games in the first place.

The contract to provide the 10,400 staff was signed in December 2011 and was worth £284 million. G4S estimated to make a £10m profit on the deal and then a £57 million management fee. They now estimate they will lose £30-50 million on the contract.

MPs also grilled Buckles on how much G4S would pay the police and military forces drawn in as emergency staff. They have promised to meet all costs faced by the police and armed forces.

G4S hold £600 million worth of contracts with the Home Office, including a major one with Lincolnshire Police. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/18/olympic_security_scheduling_software/

A South Australian man is awaiting sentencing after hacking an ISP’s servers and threatening the owner with an axe.

The Herald Sun is reporting that Bryce Quilley pleaded guilty to four charges. They included three counts of “unlawful modification of computer data”, all of which took place on June 14 last year, as well as threatening harm, and threatening to damage property.

As well as threatening the ISP’s owner with an axe, he pleaded guilty to threatening to burn down the business. According to Sophos’ Naked Security blog, Quilley was a former employee of the company he attacked.

While neither the company nor the victim have been named in the court reports, The Register notes that Quilley is identified in Whois as the registrant contact for ngn.net.au, a games network owned by Adelaide ISP NuSkope. Quilley’s Google+ page mentions “NGN” as a former employer.

He has been remanded on bail for sentencing in August. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/17/axe_attack_threatened_after_hack/

ISPs in Russia and Panama are continuing to host Grum botnet command-and-control servers, after Dutch authorities silenced CCs in their country.

According to FireEye Research, two Netherlands-based servers were taken offline on July 17.

“With these two servers offline, the spam template inside Grum’s memory will soon time out and the zombies will try to fetch new instructions but will not able to find them. Ideally this should stop these bots from sending more spam”, writes FireEye’s Atif Mushtaq.

Mushtaq adds that the company believes Grum to be the world’s third-largest Spam botnet.

However, he says, FireEye’s attempts to contact the Russian host, Gazinvestproekt, and the Panamanian Panamaserver.com, have been unsuccessful, so servers in these countries are still operational.

“Using these two live servers, the bot herders might try to recover their botnets by executing a worldwide update. No action has been taken by the bot herders so far. There is complete silence from their side,” the FireEye blog post continues.

Botnets are the target of a growing international effort targeting their CC servers. Earlier this year, Microsoft claimed credit for taking down the extensive Zues and SpyEye botnets, and earlier this month the DNS servers associated with DNSChanger were finally shut down. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/17/netherlands_knocks_grum/

An Anonymous cadre has hacked into major oil corporations’ computers to protest against drilling in the Arctic.

The attack, dubbed OpSaveTheArctic, has led to the lifting of email addresses and encrypted password hashes for about 500 email accounts at five leading oil exploration corporations: Exxon Mobil, Shell, BP, Gazprom and Rosneft. Some of the leaked contact addresses have been added to Greenpeace’s Save The Arctic petition page. Other hacktivists have been encouraged to spread the list.

The database raid by Anonymous was inspired by the Greenpeace campaign but it is not associated with the hippy organisation*.

“This Operation is carried out by Anonymous and isn’t anyhow affiliated to GreenPeace! We are just supporting their cause,” le4ky, the hacktivist behind the data dump, stated.

A manifesto for the operation was posted on Pastebin, but El Reg has declined to link to it because it contains private information that will be handy for phishing scams or worse.

Le4ky has offered to supply cracked MD5 hashes – the plaintext versions of the weakly one-way encrypted passwords – to interested parties. He claimed that the Exxon data slurp was not enabled by exploiting a vulnerability in its website but because of an unspecified mistake by its webmaster. ®

Peacenote

*It is official Greenpeace policy that all members of the organisation are required to be hippies, like it or not. Full details at the bottom of this article.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/17/opsavethearctic/

Networking juggernaut and server player Cisco Systems has snapped up Virtuata, a stealthy startup that is working on security software for virtual machines that has not really said much about itself to date – and now never will.

The acquisition was announced in a blog post by Hilton Romanski, vice president of corporate development at Cisco and formerly an investment banker at JPMorganChase.

Virtuata was founded in October 2010 by Joe Epstein, who was the company’s CEO, and Peter Danzig, who was its chief strategy officer, and has been working behind the scenes on its software since then.

Epstein was an engineer at Oracle, then technologist at Bytemobile (which Citrix Systems just acquired) and a cofounder of Meru Networks, which was set up in 2012 to chase the wireless LAN market. Danzig has been an instructor at Stanford University and a professor at the University of Southern California, and was a chief architect at NetApp and VP of technology at Akamai Technologies as well, and is a hot-shot in the caching algorithms that underpin content-delivery networks.

All that Virtuata said about what it was working on was this: “We are a stealth-mode startup reinventing the way computers are trusted and secured.”

That sentence – and presumably a pretty good business plan and a great team of programmers – was sufficient for Virtuata to receive $6m in Series A funding in March 2011, according to its CrunchBase profile.

Actually, it took a little more than that. Perhaps Citrix Systems, which lost some of its smartest techies (Simon Crosby and Ian Pratt of Xen hypervisor fame) when they went off and founded security company Broium last year, might have been sniffing around Virtuata.

Bromium is still in stealth mode and is taking its time getting products to market, but Crosby lifted the veil on the Bromium security model last month. For the moment, Bromium is focusing on PC security and has created a microvisor that leverages Intel’s vPro security hardware and virtualization technologies to create a trust foundation with a very small “vulnerability surface” of around 10,000 lines of code. That’s a lot easier to secure than the 100 million lines of code in a PC software stack when you include an operating system and applications.

At its Synergy 2012 event in San Francisco this May, Citrix showed off Virtuata’s virtual machine security add-on to the XenClient hypervisor, which is a type 1 or bare metal hypervisor that is also tuned to Intel’s vPro circuitry and uses Trusted Execution Technology (TXT) and VT-x virtualization features to create a trusted boot environment.

The XenClient hypervisor included the ability to run what are called Service VMs, along with a secure Citrix Receiver client, network stack, and VPN program all running inside of their own locked-down VMs. Virtuata was using this Service VM for XenClient, loading up code that was known to be good into memory, and then locking it down so it could not be changed while it was running, as well as when the code is stored in executable form on disks.

Instead of trying to find bad code and stop or remove it, you merely allow only known good code to run on a machine.

Virtuata is based in Milpitas, California, and will be folded into Cisco’s Data Center and Virtualization Group, which controls its Unified Computing System blade and rack servers as well as various related switching and virtualization technologies.

David Yen, a top exec from Juniper Networks and Sun Microsystems, is the senior VP in charge of this increasingly important part of Cisco – which, incidentally, has plenty of ex-Sunners working on data center products these days.

Financial terms of the Virtuata acquisition were not disclosed.

Cisco didn’t say much about its plans, but Romanski said in his post that Virtuata provided software for “securing virtual machine level information in data centers and cloud environments,” which suggests that Cisco is thinking less about hardened PCs and more about making enterprises more comfortable with the security for virtual machines on UCS servers and Nexus switches.

“Together, Cisco and Virtuata will enable consistent and enhanced security for virtual machines allowing customers to accelerate the deployment of multi-tenant, multi-hypervisor cloud infrastructures,” Romanski said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/17/cisco_buys_virtuata/