STE WILLIAMS

Skype has admitted its IP-chat software can accidentally send punters’ private messages to the wrong person on their contact lists.

Skype ‘fessed up to the cock-up on Monday, promised a fix was in development, and added that this would be available within days. Reports of the bug first surfaced on community support forums last week.

The Microsoft-owned company said in a statement:

This issue occurs only when a user’s Skype client crashes during a Skype IM session, which may in some cases result in the last IM entered or sent prior to the crash being delivered to a different IM contact after the Skype client is rebooted or logged in as a new user.

Although we cannot determine precisely how many users may have been affected by this error, we believe the number is small given the very specific circumstances under which the error occurs.

The flaw exists on multiple platforms: builds for Windows, Linux, Mac OS X, Android, iOS and Windows Phone are vulnerable. Users are urged to upgrade their software as soon as a patch becomes available. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/17/skype_bug/

Security researchers have discovered a new cyber-espionage campaign targeting victims in the Middle East.

Kaspersky Lab and Seculert identified more than 800 victims located in Iran, Israel, Afghanistan and elsewhere in the course of monitoring control servers associated with cyber/espionage operation over the last eight months.

“Statistics from the sinkhole revealed that the victims were primarily business people working on Iranian and Israeli critical infrastructure projects, Israeli financial institutions, Middle Eastern engineering students, and various government agencies communicating in the Middle East,” according to Seculert.

The Madi malware associated with the electronic spying operation is far less sophisticated than the Flame, Duqu and Stuxnet worms associated with previously discovered spying operation in the Middle East, many of which have become associated with operations against Iran’s controversial nuclear program. Leaked briefings from the Obama administration suggest both Flame and Stuxnet were joint US/Israeli operations

Madi is a Trojan that allows remote attackers to swipe sensitive files from infected Windows computers, monitor email and instant messages exchanges, record audio, log keystrokes, and take screenshots of victims’ activities. in all these respects the malware is similar in capabilities to banking Trojans. Common applications and websites that were spied on include accounts on Gmail, Hotmail, Yahoo! Mail, ICQ, Skype, Google+, and Facebook. Surveillance also tapped integrated ERP/CRM systems, business contracts, and financial management systems.

Kaspersky Lab and Seculert worked together to sinkhole the Madi Command Control (CC) servers and thus monitor the spying operation, which they characterise as “amateurish and rudimentary” in execution.

“While the malware and infrastructure is very basic compared to other similar projects, the Madi attackers have been able to conduct a sustained surveillance operation against high-profile victims,” said Nicolas Brulez, a senior malware researcher at Kaspersky Lab. “Perhaps the amateurish and rudimentary approach helped the operation fly under the radar and evade detection.”

Aviv Raff, Chief Technology Officer, Seculert, added:

“Interestingly, our joint analysis uncovered a lot of Persian strings littered throughout the malware and the CC tools, which is unusual to see in malicious code. The attackers were no doubt fluent in this language.”

More on the Madi campaign can be found in a post on Seculert’s blog (here) and from Kaspersky Lab here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/17/madi_cyber_espionage_campaign/

A £385m computer system being built for the UK’s Border Agency and Border Force to process immigrants’ paperwork is a year behind schedule and £28m over budget. That’s according to the National Audit Office (NAO), which today published findings from a study it undertook in March into the stumbling IT project.

The NAO said border staff cuts coupled with an over-reliance on the delayed computer system – dubbed the Immigration Case Work (ICW) programme – had hampered the service to the point where new workers were needed to plug the gaps:

In 2011-12, the Agency’s workforce reduced by over 1,000 more than planned, despite the fact that progress was slower than expected in the ICW programme and workforce modernisation at the border, and no Agency-wide skills strategy was yet in place. The result of this disconnect was, in some places, a dip in performance and the need to hire new staff or increase overtime.

The UK Border Agency (UKBA) hopes to trim £350m in costs off its budget between 2011 and 2015. Part of that money-saving exercise involves cutting loose some 4,500 full-time employees as it relies more heavily on automated systems.

However, NAO was damning about the ICW programme. It said:

We found it had suffered from a loss of focus, poor governance structures and optimism bias in planning and reporting, although the Agency took steps to address these issues during 2011-12. Border Force workforce change has been hampered by the disjointed introduction of change measures and delay in implementation of a comprehensive operating resource model, which is needed to plan optimal deployment of staff.

It added that UKBA was aware of its shortcomings and “is preparing a new transformation programme for launch in the autumn”. The agency is expected to make swaths of changes by, among other things, reducing “management layers” by 2015.

“The real leadership test will be whether the Agency can transform casework processing without relying solely on new IT, and whether the Border Force can improve its workforce practices and raise productivity,” concluded head of the NAO Amyas Morse.

The audit office’s report can be found here [PDF]. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/17/national_audit_report_on_border_agency/

Ignorance about Facebook privacy settings is no excuse for complaining about the consequences of publishing off-colour online comments, a US judge has ruled.

Robert J Sumien, an emergency medical technician in Texas, wrote a Facebook wall post about giving “boot to the head” to unruly patients. The comment came to the attention of his employers, CareFlite, an ambulance service and medical transportation firm, who showed him the door.

Sumien sued for privacy invasion and wrongful termination of his employment contract. He claimed that his employer invaded his privacy because he misunderstood a coworker’s Facebook settings and didn’t realise comments he made on a colleague’s wall would be seen by others inside and outside the hospital.

The comment that resulted in Sumien getting the sack came after his ambulance partner, Jan Roberts, posted a comment on the Facebook wall of CareFlite worker Scott Schoenhardt, suggesting she wanted to slap a patient she had recently transported. This started a discussion about what to do with unruly patients, prompting Sumien’s comments.

Both Roberts and Sumien were reported over the comments and both were fired. Sumien sued but a court rejected claims that he had any expectation of privacy about comments posted on a Facebook wall.

A trial judge rejected Sumien’s claims that he intended the comments only to be seen by his close friends and threw out his unlawful dismissal claim, a decision recently upheld by a Texas appeal court (ruling, extract below).

http://www.2ndcoa.courts.state.tx.us/opinions/pdfOpinion.asp?OpinionID=23493

Sumien contends that CareFlite intruded upon his seclusion because he did not realize that Roberts’s Facebook “friends” could view the comment that he posted on Roberts’s “wall”. While Sumien presented evidence showing that he misunderstood Roberts’s Facebook settings, did not know who had access to Roberts’s “wall”, and did not know how CareFlite was able to view his comment, he did not present any evidence to show that his misunderstanding meant that CareFlite intentionally intruded upon his seclusion.

Sumien’s comments sound much more like an off-colour rant that a genuine threat, so he can consider himself unfortunate.

Nonetheless his fate serves as a lesson for the rest of us: comments on social networking sites can cost you your job. And locking down your own Facebook settings by itself might not be enough, writes Lisa Vaas on Facebook’s Naked Security blog.

“Even if you’ve set Facebook privacy to only show your posts to friends, bear in mind that when you comment on other people’s posts, your words are subject to those friends’ privacy settings,” she said.

Legal commentary on the case can be found in a blog post by Eric Goldman, an associate professor at the Santa Clara University of Law, here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/16/facebook_job_termination_appeal_fail/

Cisco slipped out four security advisories on Friday warning of serious vulnerabilities in its high-end videoconferencing system – or TelePresence, as it prefers to call it.

The flaws affect versions of Cisco TelePresence Manager, Recording Server, Immersive Endpoint System, and Multipoint Switch, and would variously allow an attacker to crash calls using malformed IP packets in a DDoS attack, perform a code injection attack via the web interface, and/or remote code execution and privilege escalation via the Cisco Discovery Protocol.

Cisco Product Security Incident Response Team said that there was no evidence that any of these vulnerabilities were being used in the wild as yet. They were uncovered after laboratory testing of the software and during normal software security audits.

Videoconferencing is one of those “always the bridesmaid, never the bride” technologies, and your Reg reporter remembers getting press releases in 1994 talking about how ISDN would make that long-ago time the year that videoconferencing would take off. We’re still waiting, but Cisco has had more success than most with its TelePresence systems, albeit only on the corporate stage.

Cisco did launch a home videoconferencing system, bizarrely dubbed Ūmi, in 2010, but merged it into the business offering last year. Instead, the company is concentrating on videoconferencing using dedicated high-bandwidth connections and advanced cameras to provide corporates with a way to trim those expensive overseas trips.

From an IT manager’s perspective, these flaws need to be fixed fast, since no one on a corporate board likes the idea of their expensive videoconferencing suite turning into a spying system. Cisco has posted patches and is urging all users to update immediately. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/16/cisco_telepresenceflaws/

Apple has moved to shut down a hack that allows users of iOS devices to download in-app content without paying for it – but the service is still operating and its creator remains defiant.

The exploit relies in part on a custom DNS server that intercepts incoming purchase requests from iOS devices. Over the weekend, Apple blocked that server’s IP address, preventing it from connecting to the legitimate App Store, and issued a takedown request to its ISP, TheNextWeb reports.

Apple has also asserted a copyright claim against the instructional video explaining the hack, which has since been removed from YouTube.

It is estimated that the In-Appstore.com service has already been used to download in-app content more than 30,000 times.

The man behind the hack, who goes by the handle ZonD80, has been identified as Russian programmer Alexey V. Borodin.

Despite Cupertino’s best efforts, Borodin continues to host the in-app purchasing exploit at In-Appstore.com. A DNS lookup of that domain suggests it may currently be operating from a server located in Panama.

Although Apple has recently released iOS 6 beta 3 to developers, Borodin says that patch does nothing to block his exploit.

The cheeky Russian has actually gone as far as to publish terms of service for his hack, which state that the service comes with no warranty and that he won’t be held responsible for any damages.

Nonetheless, the server is not collecting any user information, Borodin says. Although users may be asked for their App Store password when connecting to the server, he advises them to enter a random one. “This is a real appstore do [sic],” he writes.

Furthermore, Borodin insists that the hack costs users nothing and it will always be free, and he asks that merchants not contact him about profit-sharing opportunities. He is still fishing for donations, however.

Traffic to the service has been heavy, Borodin says, and his virtualized server has buckled under the load. He’d like to raise some cash to buy a dedicated machine with more bandwidth.

That may be wishful thinking, however. On Sunday, Borodin was again pleading for donations. “Tomorrow service will be shut down,” he wrote, “if I cannot find $50 for bill for hosting for next month (it’s already unpaid for two days).”

That request may have been granted, but gathering donations hasn’t been easy for Borodin. On Friday, PayPal suspended his account for violations of its acceptable use policy, meaning he won’t be able to access those funds for 180 days. Borodin is now accepting funds via the BitCoin digital currency.

He’ll accept another kind of donation, too. “Apple, please contact me,” he writes. “I want to share my experience with you, if you give me one iPhone 5 for free!”

Apple did not immediately respond for requests for comment, but it seems unlikely that providing a free iPhone is what it has in mind. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/16/apple_vs_ios_inapp_hack/

A computer software failure caused the security fiasco at the Olympics, the Independent on Sunday has said, after talking to insider sources at security contractor G4S.

G4S defaulted on their Olympic security contract two weeks before the start of the games, meaning that 3500 members of the armed forces have been drafted in to provide basic security coverage for the Olympics. The security firm said they were unable to recruit and train enough guards to adequately police the site.

The Indy has suggested both that Home Secretary Therea May was aware of problems with G4S in September and that staff management software was to blame.

An insider said the root cause of the problem with G4S was its internal computer system which had failed to calculate staff rostering.

In a statement on the contract, G4S said:

We have recently encountered significant difficulties in processing applicants in sufficient numbers through the necessary training, vetting and accreditation procedures. As a result, we will be unable to deliver all of the necessary workforce numbers.

According to the Indy, the security firm offered to fulfill the contract at a price 25% less than that of competitors. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/16/software_caused_olympic_security_fiasco/

Symantec has apologised after an update to its security software sparked repeated crashes on enterprise Windows XP machines.

The antivirus giant withdrew the misfiring definition update, issued on 11 July, hours after problems first appeared, releasing a revised update the next day. No new issues have been reported since this signature rollback was applied.

Subsequent analysis has revealed that a three-way clash between third-party encryption drivers, Symantec’s own security software and the Windows XP Cache manager resulted in the infamous Blue Screen of Death (BSOD) on vulnerable machines, as this advisory explains:

The root cause of the issue was an incompatibility due to a three-way interaction between some third-party software that implements a file system driver using kernel stack based file objects – typical of encryption drivers, the SONAR signature and the Windows XP Cache manager.  The SONAR signature update caused new file operations that create the conflict and led to the system crash.

The glitch is specific to the Symantec Endpoint Protection Small Business Edition (SEP SBE) 12.1, Symantec Endpoint Protection (SEP) 12.1 and Symantec Endpoint Protection.cloud (SEP.cloud). Corporate users of other version of Symantec’s Enterprise security products weren’t affected – nor were ordinary punters.

Symantec is reviewing its quality-assurance process to improve compatibility testing, a move it hopes will safeguard against similar snafus in future.

Bugs involving antivirus signature updates crop up from time to time regardless of the vendor. Even though testing processes are improving, the sheer volume of updates software makers are obliged to push out means that testing isn’t exhaustive as one might hope, and problems are almost certain to occur.

Release managers can only make sure these cock-ups happen as infrequently as possible rather than expending huge amounts of effort trying to prevent them entirely. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/16/symantec_update_snafu/

Prince Charles unveiled a ball of rose marble inscribed in binary and Morse Code on Friday – a tribute to the men and women of the British intelligence services over the last century who have worked at the “slog” of cracking, interception and security.

The new memorial a stone ball with a plaque in the National Memorial Arboretum, Staffordshire was unveiled by the Prince and the current Director of GCHQ, Iain Lobban.

Speaking at the ceremony, Lobban said that the memorial was for the mathematicians, engineers, linguists and technologists who had all contributed to the security of Britain.

He emphasised how the teamwork and unglamorous hard slog of these people has complemented the individual specialists, like Alan Turing, and brought their ideas into being.

Due to the nature of their work, spooks rarely get much in the way of public recognition. So a former GCHQ-er at the event, Jim Simons, said he was particularly pleased to see Prince Charles getting involved: “The men and women that work behind the scenes providing the intelligence and security that helps protect the UK very often go unrecognised. To have Royal support and lasting recognition is heartening.”

The British realised the importance of intelligence gained by signal interception during the First World War when Blighty first developed radio and telephone interception techniques. In 1919, the Government Code and Cypher School (GCCS) was set up. During the Second World War, GCCS worked as part of a global network of signals collectors to produce the famous “Ultra” intelligence that drew on Turing’s work cracking the Germans’ Enigma encryption.

The group’s name changed to GCHQ in 1946 but the centre has continued to pull off the impressive techie feats including the secret development of public-private key encryption in 1973, well before it was independently and publicly invented in the US. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/16/gchq_memorial/

A Russian hacker claims to have found a way to crack the in-app purchasing mechanism used in iOS so that users can get free content in a variety of applications.

The hacker, dubbed ZonD80, posted a video of the crack on YouTube and claims that the technique makes it possible to beat Apple’s payment systems by installing a couple of certificates and assigning a specific IP address to the device.

ZonD80 is now asking for donations to set up a website to promote the hack.

“Why you must to pay for content, already included in purchased app? I think, you must not,” he said.

No doubt Apple and the developers who depend on people paying for what they use would beg to differ. Apple hasn’t responded to requests for information from El Reg but Cupertino’s developers will no doubt be putting pressure on to fix the problem.

In testing carried out by the 9to5 Mac, the hack works on iOS 3.0 or later and doesn’t require the user to jailbreak their handset. The site reports that some applications can’t be hacked, and its possible Apple’s system for payment validation may cause the technique to fail. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/13/apple_ios_hack/