STE WILLIAMS

In an outstanding example of data-loss stupidity, a DVD containing user IDs of Austrlia’s Stay Smart Online Alert service has gone astray in the mail during a handover between contractors.

An e-mail sent to subscribers on 6 July and passed on to The Register by a reader states “the Department has been advised by a former external contractor that a DVD which included information provided by Stay Smart Online Alert Service subscribers was lost in Australia Posts’ system, after being posted on 11 April 2012.”

The service is currently being re-developed, apparently by a company called Ladoo since its links exist in the advisory e-mail (more on this below).

The service is managed by the Department of Broadband, Communications and the Digital Economy, which has yet to respond to questions sent by The Register via e-mail during the weekend.

The e-mail also states “The Department has no reason to believe that this information has been found and misused by any third party and we do not believe that there is a privacy risk. We are informing subscribers consistent with a ‘best practice’ approach for privacy matters.

“However, if you have used the same username, memorable phrase and/or password for other websites or services you may wish to consider whether these need to be changed.”

For information, the e-mail suggests users visit the site www.staysmartonline.com.au, but in an ironic twist, the e-mail uses obfuscated links that redirect via ladoo.com.au for the Stay Smart Online Website, user preferences, and the “unsubscribe” link.

As Stay Smart Online states on its Website: “don’t click on links in the message or paste a link from the message into your Web browser.”

The full e-mail is below. The Register has added the Ladoo links where they appear. In case the links are specific to the recipient, The Register has replaced the HTML file names at the end of redirected links. reg

Update: Since this story was first posted, a reader has alerted El Reg that the prior contractor, which sent the DVD by mail, was AUSCERT, as reported by Fairfax. reg

6 July 2012

Notification of Subscriber Data Loss

Dear Subscriber

We are writing to notify you that the Department has been advised by a former external contractor that a DVD which included information provided by Stay Smart Online Alert Service subscribers was lost in Australia Posts’ system, after being posted on 11 April 2012.

The external contractor provided the Alert Service on behalf of the Department of Broadband, Communications and the Digital Economy (‘the Department’) from 2008 until 29 April 2012, when its contract with the Department expired. As you may be aware, the Stay Smart Online Alert Service is currently being re-developed by the Department in collaboration with two new contractors.

As part of the expiry of contract handover process, the original contractor advised that it copied its SSO Alert Service subscriber database onto a DVD and, on 11 April 2012, posted this DVD to the Department using Australia Post’s express post service. Unfortunately, this DVD was never received by the Department. The original contractor has informed the Department that information on the missing DVD included subscribers’: usernames; email addresses; memorable phrases; and passwords which are unreadable (as cryptographic hash).

The Department has no reason to believe that this information has been found and misused by any third party and we do not believe that there is a privacy risk. We are informing subscribers consistent with a ‘best practice’ approach for privacy matters.

However, if you have used the same username, memorable phrase and/or password for other websites or services you may wish to consider whether these need to be changed.

For information on password security and other tips and advice on how to be safe and secure online, visit Stay Smart Online website (www.staysmartonline.gov.au). [Link: http://send.ladoo.com.au/ch/38192/1bjbv/1662928/LINK.html]

Regards

Stay Smart Online Team

CONTACT US Email: [email protected] [Link: [email protected]]

www.staysmartonline.gov.au [Link: http://send.ladoo.com.au/ch/38192/1bjbv/1662783/LINK.html]

You are receiving this message at the address [Removed for privacy reasons]

Click here [Link: http://send.ladoo.com.au/ch/38192/1bjbv/1658692/LINK.html] to update your profile preferences. If you no longer wish to receive the SSO newsletter, you can unsubscribe. [Link: http://send.ladoo.com.au/ch/38192/1bjbv/1656647/LINK.html]

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/08/stupid_stay_smart_contractor_posts_dvd/

Cyberoam has responded to warnings that its security device open up traffic to inspection by third-parties.

Researchers affiliated to the anonymity-protecting Tor Project discovered that the skeleton key digital certificate on Cyberoam devices that permitted the inspection of SSL traffic was the same on every device.

“It is therefore possible to intercept traffic from any victim of a Cyberoam device with any other Cyberoam device – or, indeed, to extract the key from the device and import it into other DPI [deep packet inspection] devices, and use those for interception. Perhaps ones from more competent vendors,” the researchers warn.

Runa Sandvik of the Tor Project and Ben Laurie began their investigation after a user in Jordan reported receiving a fake certificate upon visiting the torproject.org. Initially the researchers thought that cyberoam had been tricked into issuing a fake certificate for torproject.org, similar to the infamous DigiNotar and Comodo attacks, before realising something else was afoot.

In a blog post on Thursday, Cyberoam said tamper-protection measures meant it was not possible to export cryptographic keys from its devices. It argued that its https deep scan inspection technology was benign, and intended for network malware protection and not as a tool for “mass surveillance” as Tor researchers allege. Cyberoam said its technology followed industry best practices for SSL Bridging and didn’t lend itself to man-in-the-middle attacks that the Tor researchers feared.

“Cyberoam’s private keys cannot be extracted even upon dissecting the box or cloning its hardware and software. This annuls any possibility of tampering with the existing certificates on appliance,” the firm explained.

“Cyberoam UTM either accepts or rejects, but does not store HTTPS Deep Scan Inspection data, as processing is done in real-time. The possibility of data interception between any two Cyberoam appliances is hence nullified,” it added.

Cyberoam specialises in making UTM security appliances which perform SSL inspection by generating their own certificates, via a mechanism similar to that used by other vendors. The technology is intended for use in small business or in the branches of larger businesses. Sys admins would install certificates from Cyberoam on devices on a network, allowing the traffic inspection technology to work without generating a warning.

The firm’s UTM technology provides a bundle of functions including firewall, VPN (SSL VPN IPSec), gateway anti-virus, anti-spam, Intrusion Prevention System (IPS), content filtering and load management. The SSL traffic inspection is only a small part of this bundle but it does mean the technology does lend itself to surveillance if deployed by ISPs and attached to the internet connections of consumers, as appears to have happened in the Jordanian case. The warning from the Tor Project remains relevant in this or similar cases.

Although Cyberoam devices are bundled with technology designed to perform HTTPS scanning for antivirus, this same technology might be use to peer into the contents of encrypted communications.

Victims should uninstall the Cyberoam CA certificate from their browsers and decline to complete any connection which gives a certificate warning, the Tor researchers advise consumers.

More discussion on the issue can be found in a blog post by the Tor Project here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/07/cyberoam_tor_ssl_spying_flap/

A mobile Trojan that secretly sends the phone’s whereabouts and its address book to spammers has slipped into Apple’s App Store and Google’s Play marketplace.

Called Find And Call, the malware includes a “find your friends” feature that uploads a user’s phonebook contents to servers under the control of the application’s authors. Victims are not asked to agree to this process, which is not covered either by the program’s terms of service nor the end-user licence agreement (EULA), according to security researchers at Kaspersky Lab.

Denis Maslennikov, a senior malware analyst at Kaspersky, reports that the application also logs and uploads a phone’s GPS coordinates. Kaspersky began investigating the app following a request by Russian mobile network MegaFon, which initially suspected it was an SMS-sending Trojan.

The Find And Call server sends text messages to numbers lifted from the infected smartphones’ contacts lists, encouraging recipients to follow a link and try out the application. This behaviour separates the malware from regular SMS nasties that send spam from the actual handsets.

The app is mostly likely the first piece of malware to make it past Apple’s censors and reviewers and onto the App Store in the shop’s five years of operation – provided you discount a proof-of-concept program developed and released by white hat hacker Charlie Miller last year.

Malware turning up on Google’s official Android software marketplace Google Play is more common due to the store’s relaxed rules. The Chocolate Factory released a virus scanner called Bouncer, which is designed to weed out undesirable applications, back in February. By June researchers John Oberheide and (that man again) Charlie Miller had uncovered shortcomings in the detection engine.

Russian blog AppleInsider.ru got in touch with the developers of Find And Call via its tech support. The programmers claimed the SMS-sending feature (which has unsurprisingly drawn a number of complaints) was a bug. The developers are Russian speakers and the app is targeted at the Russian market, but payment for the application is routed via a Singapore-based firm.

Both Apple and Google pulled the application from their respective marketplaces on Thursday. Meanwhile Kaspersky Lab has added detection for both flavours of Find and Call to its mobile security products as Trojan-AndroidOS-Fidall-A and Trojan-iPhoneOS-Fidall-A, respectively. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/06/mobile_trojan_apple_app_store_shocker/

Libya’s transitional government has quietly reactivated the surveillance technology it inherited from the Gaddafi regime, the Wall Street Journal reports.

The technology is been used to track the mobile phone calls and online communications of Gaddafi loyalists. Government officials told the paper that they have seen dozens of phone or Internet-chat transcripts, one of which featured a phone call between Saadi Gaddafi, exiled son of the former dictator, and a supporter inside Libya. Saadi Gaddafi fled to Niger during the course of the civil war that ousted his father.

Libya’s caretaker government has established created two national-security agencies—Preventive Security and Foreign Security. Salem al-Hasi, 50, a former language teacher at a US military college, has been appointed as Libya’s new national intelligence chief. Hasi’s deputy, Mustafa Nu’ah, denied claims that the transitional government was using electronic surveillance.”We don’t have the staff or know-how to do this,” Nu’ah told the WSJ.

However this account is contradicted by two unnamed government officials and a high-ranking security official who spoke to the paper. Security briefings routinely feature transcripts of phone calls or internet chats. It’s unclear how many people are under surveillance but the National Transitional Council might be particularly inclined to switch on in the run-up to elections, due to take place this weekend.

Surveillance equipment was sold to the Gaddafi regime by suppliers in France, China and South Africa. During the civil war the equipment went unused – until last autumn when it was allegedly reactivated. According to the WSJ‘s sources, some of the interception equipment was removed from the offices of Libya’s main ISP since the regime’s fall.

Adel al-Morsi, commander of the Tripoli branch office of Preventative Security, told the WSJ that he classifies schoolteachers who don’t allow children to sing the new national anthem and businessmen who became rich in the Gaddafi era as threats – along with the obvious suspects, former Gaddafi officials. Those with ties the former regime have not been allowed to contest the upcoming elections, resulting in the exclusion of 320 potential candidates, or 7 per cent of the field.

Some activists are concerned that the use of surveillance equipment without judicial oversight or a legal framework represents a slide towards authoritarianism.

“In a few short months, the NTC has shown a pattern of creating bad laws that breach human rights,” says Elham Saudi, head of the nongovernmental group Lawyers for Justice in Libya, a group that helped gather evidence of possible war crimes by Gaddafi. “The lack of respect for rule of law is astonishing.”

Gaddafi maintained a police state, featuring arbitrary arrests and torture, during his 42 years in power at home, while employing assassins to kill political dissident abroad. In interviews with Arab language newspapers, Hasi has set out an agenda to reform Libya’s security apparatus. He described turning Libya’s security operations “into civilised services at the service of the country, based on the protection of the country and the citizens.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/06/libya_surveillence/

The UK’s Ministry of Defence will rely on BT to defend its electronic borders for another seven years, the company has announced, extending its existing arrangement.

BT has been providing cyber security to the MoD for a while, and helped write the UK National Cyber Security Strategy as well as being a member of the UK Cyber Hub and sponsoring the Cyber Security Challenge UK, so while it would have a been a huge blow to lose the MoD as a customer, it’s not very surprising that BT has managed to extend the deal.

“BT has already delivered a world-leading solution, so it makes sense to develop our relationship further,” says the canned statement from the MoD with as much enthusiasm as it can manage.

“This agreement is a huge achievement for BT and it is testament to the success and strength of our collaboration with the MOD,” says BT’s equivalent, sounding a little more excited about the arrangement.

It’s impossible for even the military to operate without internet connectivity these days, but any online resources are an obvious target for everyone from bedroom hackers to the increasingly prevalent government-backed teams. Apparently the MoD blocked more than 1,000 “potentially serious” infiltration attempts in 2010, double the number seen in the previous year, but without knowing what qualifies as “potentially serious” it’s hard to judge how impressed we should be.

BT has the venerable Bruce Schneier on tap to help its security efforts, and will no doubt be revealing unverifiable statistics about its success over the next few years, but for the moment we don’t even know what the deal is worth. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/06/bt_mod/

Ubuntu daddy Mark Shuttleworth has defended Canonical’s decision to play ball with Microsoft’s Windows 8 security policy that could stop “unauthorised” Linux builds from booting on new PCs and tablets.

Manufacturers must enable a feature called Secure Boot in their products’ UEFI firmware in order to be officially labelled Windows 8 compatible. This mechanism will only start operating systems that have been signed with a digital key recognised by the motherboard’s firmware.

Modifying the computer’s start up process, such as installing a completely new operating system or updating the existing kernel core, will invalidate this signature and cause the firmware to reject the software until it is signed again by a trusted secret key.

The idea is to block viruses from tampering with the boot process and injecting themselves into a system before they can be detected. However difficulties arise when convincing the firmware that your custom Linux build, BSD kernel or whatever else you want to run on your own hardware is legit.

Canonical chose to generate its own private key for signing the code that loads Ubuntu – its flavour of open-source Linux – and provide instructions to manually program a new machine’s firmware to recognise the key (or the user’s own private signing key if desired).

But rather than use the popular GRUB2 boot loader, which is distributed under the strict GPL v3 licence and is a project of the Free Software Foundation (FSF), the Canonical team opted to use Intel’s more liberally licensed efilinux loader to boot the Ubuntu operating system.

According to Shuttleworth, this decision was taken because there is too much uncertainty surrounding the terms of the FSF’s GPL v3 and its implications for Ubuntu’s secret signing key.

Canonical believes it could be forced to publish its private key if it is used to sign a build of GRUB2. Once in the public domain, its key could be used by anyone to sign and install malicious boot-time software on machines that trusted it. The disclosure could eventually lead to the revocation of Ubuntu’s private key.

Cleaning up someone else’s ‘screw up’

While taking Reg readers’ questions during a one-hour live web chat this week, Shuttleworth said the Software Freedom Law Center (SFLC) had advised Canonical that the Ubuntu key would have to be disclosed if “some manufacturer screwed up” by, say, distributing a copy of GRUB2 signed by Ubuntu’s key.

Clauses in the GPL v3 licence demand that the key is published in this scenario, he said. The FSF disagrees and was critical of Ubuntu’s policy on Secure Boot and its decision to drop GRUB2.

QA participant Tom Dial asked: “Based on the statement by FSF that the GPL v3 licence on GRUB 2 would not require disclosure of the Ubuntu private keys for Secure Boot, will Canonical reconsider its approach to that?”

Shuttleworth replied:

The SFLC advice to us was that the FSF could require key disclosure if some OEM screwed up. As nice as it is that someone at the FSF says they would not, we have to plan for a world where leaders change and institutional priorities change. The FSF wrote a licence that would give them the rights to take specific actions, and it’s hard for them to argue they never would!

The SFLC was created in 2005 by the FSF’s then director and legal counsel Eben Moglen and it helped draft the foundation’s GPL v3 licence. The FSF called the fear of key disclosure “unfounded and based on a misunderstanding of GPL v3”. However, it seems, Canonical has not been reassured by the SFLC, the FSF nor the wording of the GPL v3.

The SFLC sees UEFI boot on ARM as a way for Microsoft and PC makers to act anticompetitively and exclude “alternative” operating systems. The UEFI boot issue was first uncovered by Red Hat’s Matthew Garrett last year. The FSF sees the mechanism as a threat to users’ freedoms and takes the position that user-generated keys and a GPL v3 boot loader is the best combination.

Microsoft stated support for UEFI Secure Boot as a requirement OEMs must meet in order to gain Windows 8 certification. The rules are relaxed for Intel x86-powered systems and user-generated signing keys are allowed on this platform. On ARM systems, however, customised keys are forbidden and only a limited set of keys are recognised. It’s part of an emerging Redmond policy to lock-down Windows 8 ARM tablets to head off crashes, bugs and hacks.

The upshot is Linux will require a secure signing key to prove it’s safe on machines that might also run Windows 8. Not a problem on x86, but an issue for distros that might want to get onto Microsoft Surface-like slabs that use ARM processors.

The Fedora Project, meanwhile, has also got on board with Microsoft. It’s sticking with GRUB2 but its boot-loader key will be signed by Microsoft under a service from Verisign.

You can replay the Shuttleworth Live Chat, which drew an audience of more than 450 readers, here. He also tackled questions regarding the Ubuntu design “reboot”, GNOME disruption and his flight into space with the Russian space programme. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/06/shuttleworth_responds_uefi/

A former general manager at one of e-commerce giant Alibaba’s web businesses has been arrested by Chinese police on suspicion of bribery, as the scandal-hit firm struggles to move on from long-standing allegations of corruption.

China’s biggest e-commerce business revealed the news on Thursday that Yan Limin, until recently general manager of Groupon-style daily deals site Juhuasuan, had been cuffed by cops in the eastern city of Hangzhou.

Yan was kicked out of the company back in March for what Alibaba described as “misconduct”, the firm said in a statement, adding that its internal investigation had revealed a further 28 employees had been involved in dodgy dealings.

Alibaba posted a lengthy statement on the affair, which is rendered virtually incomprehensible by Google Translate, but a Hong Kong-based spokeswoman for the company told The Reg that its own Integrity Department had co-operated fully with the police.

“It re-emphasises that Alibaba Group has a zero-tolerance policy against corruption and is determined to stamp out these types of behaviour,” she said.

“From an overall perspective, this is a continuation of what we discussed before: we are transparently communicating with customers, vendors and third parties, as well as employees, when we find a situation involving misconduct inside the company.”

This isn’t the first time that corruption allegations have enveloped the company.

In February 2011, CEO David Wei and COO Elvis Lee were forced to quit after the firm alleged that members of their sales team had allowed thousands of suppliers to defraud the site’s customers.

Alibaba insists that these were “isolated situations”, however, and has its sights set on the more important business of growing profits and attacking the smartphone market with its home-grown Aliyun OS. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/06/alibaba_general_manager_arrested_bribery/

Microsoft is planning to release nine bulletins, three critical, as part of the July edition of its Patch Tuesday monthly update cycle.

One of the three crucial advisories is expected* to offer patches for a serious XML Core Services vulnerability, disclosed but not fixed in June’s Patch Tuesday. This vulnerability has been actively exploited in attacks over recent weeks. The other two crucial bulletins cover unspecified problems in Internet Explorer and Windows.

The remaining six bulletins are rated “important” and grapple with flaws in Windows, Office, Sharepoint and Office for the Mac.

Redmond has also been rolling out an improved version of the Windows Update client over recent weeks, designed to address shortcomings in the patching mechanism abused by the Flame cyber-espionage tool. These improved patching measures will come into play in earnest with next week’s update, which is due to arrive on 10 July.

Microsoft’s advisory can be found here. Additional commentary from Wolfgang Kandek, CTO at vulnerability scanning firm Qualys, can be found here. ®

Bootnote

* The majority of security watchers expect Redmond to patch the XML flaw next Tuesday but this remains unconfirmed. Paul Henry, security and forensic analyst at Lumension, certainly has his doubts.

“It remains unclear if Microsoft will be issuing a patch this Patch Tuesday for the XML Core Services issue that is currently being actively exploited in IE attacks,” Henry writes. “Microsoft normally includes details in their pre-release information if a Day Zero patch is included. However, in the July pre-release, no mention of the issue was included.”

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/06/july_patch_tuesday_pre_alert/

An estimated 300,000 computer connections are going to get scrambled when the FBI turns off the command and control servers for the DNSChanger botnet on Monday.

The FBI took control of the botnet in November after identifying its command servers and swapping them out for their own systems – as well as arresting six Estonians accused of running the scam. But it left the botnet running, since shutting it down would have disrupted the connections of the infected systems, which at the botnet’s height accounted for over four million computers.

DNSChanger reroutes DNS requests to its own servers and then pushes scareware and advertising to infected machines. Shutting it down, however, will leave computers unable to access websites and email properly without a fix being applied. The FBI had been due to shut down DNSChanger in March, but left it up for an extra three months to allow more time for users to disinfect their systems.

Companies and governments have made a big effort to clean systems with the help of the DNS Changer Working Group (DCWG), which was set up by security experts to manage the problems. But according to the latest DCWG data, there are still 303867 infected systems out there, with around a fifth of those based in the US.

Checking for infection is simple enough. Links on the FBI and DCWG site will allow users to be scanned for the malware automatically, and fixes are available for Windows systems down to and including XP. Security software vendors have had patches out almost since DNSChanger was detected, and have free tools available. The DCWG recommends using these multiple times to make sure any infection is stymied.

So who’s going to be left looking at a dead connection on Monday? Security firm IID estimated last month that 12 per cent of the Fortune 500 firms and 4 per cent of “major” US government organizations still have machines infected with DNSChanger, although it noted things were improving rapidly.

No doubt many consumers will also add to those numbers, so expect a call from your aging relatives on Monday, asking why they can’t make the internets work. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/05/dnschanger_botnet_shutdown/

Americans love their fireworks on Independence Day, but it is possible to have too much of a good thing. That’s what spectators got on July 4 in San Diego, California, when an errant computer triggered every rocket in the city’s annual display to launch at once.

The pyrotechnics were meant to last 18 minutes. Instead, the whole show was over in roughly 15 seconds, after a deafening display that saw all five launch sites blast their missiles into the air simultaneously.

“We apologize for the brevity of the show,” the Port of San Diego said in an understatement statement. “Approximately five minutes before the show was to start, a signal was sent to the barges that would set the timing for the rest of the show after the introduction.” Although the signal had tested properly earlier, at showtime it triggered the mass launch.

The show was organized by New Jersey-based Garden State Fireworks, which has previously organized Independence Day fireworks displays for New York City and Washington, DC, among other high-profile shows. None had resulted in San Diego’s simultaneous pyrogasm.

“There was a malfunction of the firing systems which ignite the fireworks,” Garden State Fireworks co-owner August Santore said in an interview with NBC San Diego. “They were scheduled to be programmed for 15-16 minutes, and somehow, some sort of virus must have got into the program.”

Although the company has yet to determine the exact nature of the glitch that caused the massive detonation, Santore claims it was definitely due to a software error in the computerized firing systems that ignite the fireworks.

“There was no malfunction in the pyrotechnics, nor was there any human error,” Santore told NBC. “It was strictly a program glitch. Something happened in the program, which we’re working vigorously to pinpoint.”

Despite the malfunctioning system’s best efforts, no casualties were reported. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/05/fireworks_computer_error/