STE WILLIAMS

Google denies Redmond report of a spamming Android botnet

Google is disputing claims from a Microsoft researcher that a functioning botnet is operating on Android phones and spamming out Viagra and penny stock adverts to unsuspecting punters.

Terry Zink, program manager for Microsoft Forefront online security, took time during the annual July 4 “We’re kicking out the Brits and will spell color any way we please” holiday to post an analysis of a spam operation using Yahoo!’s webmail service. The spam uses the message ID [email protected] and includes the line “Sent from Yahoo! Mail on Android”

“All of these message are sent from Android devices,” he said. “We’ve all heard the rumors, but this is the first time I have seen it – a spammer has control of a botnet that lives on Android devices. These devices login to the user’s Yahoo Mail account and send spam.”

Zink said that those IP addresses that included location data indicated the infected devices were located in Chile, Indonesia, Lebanon, Oman, Philippines, Russia, Saudi Arabia, Thailand, Ukraine, and Venezuela. He attributed this to the likelihood that local Android apps sites were selling malware-laced software for the Android.

“The evidence does not support the Android botnet claim,” Google told The Register in a statement. “Our analysis suggests that spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they’re using.”

Zink’s announcement certainly set tongues wagging in the security industry, with vendors split on whether or not this is an actual Android botnet or a clever spoof using PCs looking to imitate such a scenario.

Sophos senior security advisor Chet Wisniewski told The Register that spam was still coming in from the botnet at a rate of around five pieces an hour, and the circumstantial evidence seemed to suggest a functioning Android botnet.

“There’s just little pieces of evidence that this is coming from an Android handset, but no smoking gun that proves the case entirely,” he said.

On Thursday, Zink posted an update to his original report, admitting that the case for the botnet was not proven. It would be possible to use a PC to strip out the Yahoo! message IDs and replace them, he said, and to add the sent-from-an-Android message. He has considered this could all be an “elaborate deception” by spammers, but that he stands by his original findings.

Yahoo! told El Reg in a statement that it was investigating the case and that it encourages users of its mobile applications to only buy applications from registered marketplaces. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/05/google_denies_microsoft_android_botnet/

Ex-France Telecom CEO probed over staff suicide spate

Former France Telecom chief executive Didier Lombard is under investigation following a spate of staff suicides at his firm in 2008 and 2009.

Lombard was in charge of the company when more than 30 employees took their lives and others attempted to kill themselves amid mass redundancies at the telco.

A court in Paris, which is conducting the probe, will decide whether or not to bring charges of harassment against the firm’s management or even the company itself.

The case was opened after trade union SUD-PTT filed a formal complaint. The union said yesterday that it welcomed the court’s decision to investigate Lombard.

“A trial must take place and we hope it will unveil the responsibilities and dismantle the mechanisms that led to this crisis of suicides at France Telecom,” SUD-PTT said in a canned statement.

Lombard, who stepped down as CEO early in 2010 because of the crisis, was questioned in the court on Wednesday. On the same day, he defended himself in an article in French newspaper Le Monde.

“I strongly doubt that these plans, which were essential to the survival of the company, may have been the cause of the human tragedies cited in support of complaints,” he wrote.

“Giving up these plans would certainly have had painful consequences for the group and for the employment of its employees,” he added.

Lombard was referring to the massive upheaval at the firm that saw headcount reduced by 22,000 while 10,000 more were moved into new positions. The restructure came 10 years after the privatisation of the company.

Unions claimed that the forced moves and impossible performance targets imposed on people who used to be civil servants – many of whom had “protected employment” status, presumably making it difficult to fire them – were partly to blame for the suicides. But France Telecom said at the time that the proportion of suicides in its workforce was the same as the overall rate in France.

Lombard was released on bail of €100,000 ($125,000, £80,307), Reuters reported. If he is charged and found guilty of harassment, he could face up to one year in prison as well as a €15,000 ($18,766, £12,046) fine. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/05/france_telecom_chief_investigated/

BA staff to google for snaps, dirt on biz-class passengers

British Airways has denied “compiling secretive data” about its business-class passengers after launching its “Know Me” programme to personalise customers’ travel plans.

The Evening Standard today reported that BA staff will be given Apple iPads and told to use Google to research key frequent flyers. The employees are encouraged to download individuals’ pictures, provided by a Google Images app, to help them identify the VIPs as they arrive.

A spokeswoman at the company told The Register that BA was not holding customer dossiers in some sinister fashion, but instead described “Know Me” as a loyalty programme for those people travelling business class with the airline.

Nonetheless, it’s difficult not to question the company’s data-handling strategy when it offers up nuggets such as this in its press release announcing “Know Me”:

Its purpose is to collate a wealth of data from every experience the customer has with the airline and translate that into meaningful service for that individual.

Which, here on the networks desk at Vulture Central, sounds an awful lot like an identity database.

The scheme is limited in scope at the moment, but BA told us that it may be rolled out to other passengers if it proves a success with punters.

In the meantime, BA staff are focussing on what the company’s spokeswoman described as “captains of industry coming through the airport”. The airline wants its staff to bone up on biz leaders who may already have a big media profile online.

Looking at images of those individuals on Google will apparently aid that process.

However, when quizzed, the BA spokeswoman said that no facial recognition technology (software that, for example, is already used to greet hotel guests) was being used by the international people-carrier to pinpoint top businessmen and women.

She declined to clarify exactly whether customers could opt in or out of being stalked online by BA crew ahead of them taking their seat on the plane.

“There’s no tick box involved,” the BA spokeswoman told us, but added that passengers uncomfortable with the service could request not to be tracked in quite such a “personalised” manner.

Add to that the fact that most business class travellers do not book their flights themselves and it becomes difficult to see how those individuals might prevent such personalisation ahead of boarding their BA flight.

The BA spokeswoman assured El Reg in an emailed statement that the company is “entirely compliant with the UK Data Protection Act” and added that the airline “would never breach that”.

She added:

Know Me is simply another tool to enable us to offer good customer service, similar to the recognition that high street loyalty scheme members expect. For example, it could flag up that a customer is travelling in business class for the first time so our crew can approach them and check if they need any information about the seat.

Alternatively, if someone has experienced a delay due to weather in the past then our customer service staff can apologise for that and thank the customer for continuing to fly with us. It could also advise our staff if a customer prefers not to be approached with messages when onboard.

That final comment may concern privacy campaigners because it appears to suggest that a “personalised” database on each biz class passenger is indeed maintained by BA, but if a customer declines such a service then the crew will simply be prompted NOT to use the information on the passenger that readily flashes up on their fondleslabs.

BA hasn’t updated its main privacy policy since 2009. Among other things the airline states in the meaty small print:

We retain the data you provide from time to time, including your purchase history and data we collect when you use our services and facilities. Your data may be used and retained for the following purposes: accounting, billing and audit, credit or other payment card verification and anti-fraud screening (which may, for example, involve the use of credit reference agency searches and nominal payment card revalidation checks), immigration and customs control, safety, security, health, administrative and legal purposes, statistical and marketing analysis, operation of frequent flyer programmes, systems testing, maintenance and development, customer surveys, customer relations and to help us in any future dealings with you, for example by identifying your requirements and preferences.

For these purposes we may disclose your data to any of the following who may retain that data in accordance with applicable laws: other companies in the British Airways group, airlines and other companies involved in meeting your requirements, our oneworld partner airlines and franchisees, data processing companies, travel agents, government and enforcement agencies, credit and charge card companies, credit reference agencies and screening service providers. This may involve sending your data between different countries, including countries outside the European Economic Area, including countries where under their local laws you may have fewer legal rights.

It’s nearly all there: data retention, third party access etc, but sadly there’s no mention whatsoever of Googling for pictures of passengers ahead of them boarding their flight. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/05/british_airways_staff_google_images/

DNSchanger shutdown may kick 300,000 offline Monday

An estimated 300,000 computer connections are going to get scrambled when the FBI turns off the command and control servers for the DNSChanger botnet on Monday.

The FBI took control of the botnet in November after identifying its commend servers and swapping them out for their own systems – as well as arresting six Estonians accused of running the scam. But it left the botnet running, since shutting it down would have disrupted the connections of the infected systems, which at the botnet’s height accounted for over four million computers.

DNSChanger reroutes DNS requests to its own servers and then pushes scareware and advertising to infected machines. Shutting it down, however, will leave computers unable to access websites and email properly without a fix being applied. The FBI had been due to shut down DNSChanger in March, but left it up for an extra three months to allow more time for users to disinfect their systems.

Companies and governments have made a big effort to clean systems with the help of the DNS Changer Working Group (DCWG), which was set up by security experts to manage the problems. But according to the latest DCWG data, there are still 303867 infected systems out there, with around a fifth of those based in the US.

Checking for infection is simple enough. Links on the FBI and DCWG site will allow users to be scanned for the malware automatically, and fixes are available for Windows systems down to and including XP. Security software vendors have had patches out almost since DNSChanger was detected, and have free tools available. The DCWG recommends using these multiple times to make sure any infection is stymied.

So who’s going to be left looking at a dead connection on Monday? Security firm IID estimated last month that 12 per cent of the Fortune 500 firms and 4 per cent of “major” US government organizations still have machines infected with DNSChanger, although it noted things were improving rapidly.

No doubt many consumers will also add to those numbers, so expect a call from your aging relatives on Monday, asking why they can’t make the internets work. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/05/dnschanger_botnet_shutdown/

Did your iPhone ‘just stop working’

Apple was awarded patents on 21 of its design and engineering applications yesterday – including one for a head-mounted immersive visual display.

The other 20 are a little less visionary, but at least one of the patents awarded could have an impact on fanbois who have given their phones an immersive watery experience.

Patent 8,210,032 is designed to help Apple staff determine whether or not a dysfunctional iPhone had in fact been dropped in a pint of beer/the toilet/the swimming pool/etc. Good news for warranty-enforcing Apple store staff, not good news when your boss subsequently rumbles you for ruining a corporate handset.

Apple says in the patent:

Water exposure is among major reasons that may cause significant malfunction of devices […] Therefore, verification of significant water exposure (or water immersion) is important to manufacturers of the devices. For example, for purposes such as warranty claim assessment, trouble-shooting for repairs, and product development.

The design outlines a water-detecting component that would fit into the case of a gadget and would determine whether – and to what degree – the device had been dunked in water.

It ain’t rocket science – it consists of a water reactive material that includes a soluble dye and small hole. From the patent’s description the water-detecting module would fit inside the case – somewhere that a Genius Bar operative could reach it, but a fiddling fanboi can’t.

To determine whether device 100 has previously been immersed in water, an inspector 170, such as a representative of the manufacture of device 100, may open cover 108 and remove removable module 110 to see whether detector 102 has changed color.

Alternatively a little display hole on the gadget’s surface would reflect whether you’d dunked your iPhone in water.

Apple has submitted some pretty weird patents: such as its privacy by cloneware idea. But the rest of this batch are fairly mundane: there’s whole patent on new packaging design, another on an iPod stand and others deal with small software tweaks: for example one which allows you to view multiple application windows in a user interface and one which will allow you to listen to certain tracks in a fixed sequence even when playing tracks on random shuffle.

The patent ‘Water detection arrangement‘ was filed on 15 January, 2010 and awarded on 3 July, 2012. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/05/apple_patent_water_detection/

Europe’s prang-phone-in-every-car to cost €5m per life saved

Members of the European Parliament are backing calls for a mandatory eCall scheme, forcing every car sold in Europe to be fitted with an embedded mobile communications device to save an estimated 2,500 lives.

The European Commission has already adopted eCall, which mandates the fitting of a mobile device in every private car sold by 2015, but now the Parliament has passed a resolution pushing for legislation to turn it into a law, as voluntary adoption has been derisory, and extending the technology into (hitherto exempt) motorcycles and trucks too.

The embedded phone will automatically call the emergency services following an accident, reporting the location of the vehicle and force of the impact, but at a price the EU estimates at €100 per vehicle.

The law will only apply to new vehicles, so the money will be spent over a decade or so. Even if we assume the average cost is halved in that time there are almost 250 million cars in the EU that’ll need replacing over the next 10 years, ringing up a €12.5bn bill.

One has to ask if it’s really worth spending that much money to save 2,500 lives.

It could reduce injuries too, by as much as 15 per cent according to the proposal backed by Czech representative Olga Sehnalova and German Dieter-Lebrecht Koch and passed by the Parliament. But those figures assume aid will arrive faster when summoned automatically, as opposed to a call placed by a concerned bystander.

There isn’t always a concerned bystander, or surviving passenger, handy, but in the vast majority of accidents there’s someone about. One might even argue that bystanders will be less willing to place the call (and perhaps lend other support) when they know the vehicle will have summoned aid already – but perhaps we’re being too cynical.

What is clear is that the insurance industry and police think this is a marvellous thing, being able to track people in the moments before an accident means cheaper premiums (for safer drivers) and easy placing of blame following an incident.

Even the MEPs accept that privacy protection will only go so far: “The resolution stresses that the eCall service must not be used to monitor a person’s movements or determine his or her location unless that person has been involved in an accident.”

So once the call is placed then the car is free to report back on everything which happened up to that point.

And let’s be clear: eCall might not mandate tracking but insurance companies are already offering cheaper policies to those who consent to it. Once the technology is embedded in every car they’ll be no argument against agreeing, with insurance premiums which reflect that: a few curmudgeons might pay over the odds to avoid being monitored, for a while, but it will quickly become accepted as the price one pays for safer roads.

That’s despite the fact that, in the UK, our roads are already among the safest in the world, but not as safe as they’ll be once we’ve all shelled out an additional €100 for our cars, and drive in the knowledge that they’ll sneak on us the minute we bump into someone else. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/05/ecall/

‘Apple is corrupting App Store downloads’, warn angry devs

Apple’s App Store is apparently damaging the contents of applications as they’re downloading, leaving developers flooded with complaints about errors they can’t fix.

The file corruption problem seems to have started yesterday. Instapaper’s Marco Arment was one of the first devs hit: he uploaded a new version of Instapaper to the iTunes shop for users to fetch and install, and almost instantly received complaints that his program was crashing on launch despite being perfect when released.

Since then he has compiled a list of more than 20 affected apps. Apple remains typically taciturn.

Not that Cupertino hasn’t been busy – some of the listed applications, including Instapaper, are apparently now working properly – but despite the fix there’s been no word to developers or response from the Apple team about what’s going on or how to fix it.

The list of applications includes such hits as Angry Birds in Space HD Free and Pinball Maniacs, and The Verge confirms that many of them are failing the instant they’re launched, generally displaying no error message at all but occasionally reporting that the app is damaged, or reporting an error in Apple’s Fairplay DRM system.

GoodReader, another of the applications which isn’t working, has posted comprehensive instructions for users who want to roll back a version or two as well as some detailed analysis of the problem, which suggests that it’s only users who download updates immediately on receiving the notification who are affected.

The developer stated: “While in theory Apple’s servers must be ready to distribute the new app binary by the time they start sending update notifications to users’ devices, something goes wrong inside Apple’s distribution servers, and customers receive a damaged binary instead of the good one that we’ve sent to Apple.”

What exactly is going wrong only Apple knows, and it has not responded to our questions on the matter, but Arment is recommending that developers hold off uploading updates for a day or two while users might want to be similarly cautious, at least until Apple gets it sorted out. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/05/apple_curruption/

Bank Trojan crooks trouser £800k from 30,000 Brits

Analysis Trustwave SpiderLabs has revealed how criminals stole more than £800,000 (€1m) from UK bank accounts using the Zeus Windows PC malware.

The scam – which ran from June to November last year – targeted customers of six banks in Britain. It began with a flurry of emails that tricked marks into clicking on a link to a fake Facebook login page on the crooks’ servers.

The bogus website then offered to install a Flash plugin upgrade that contained a bot, a piece of software that allows a hacker to control a compromised machine. Even if a victim refused to take the update, the page used the Blackhole kit to detect the computer’s security vulnerabilities and exploit them to install the electronic nasty if possible.

Once in place, the bot hides itself from view and downloads the Zeus Trojan to silently install. This piece of malware then interferes with the victims’ online banking transactions to quietly redirect money to “mule” accounts.

Users within the UK were specifically targeted using geo-fencing techniques that identified their location based on their internet connection. Machines in South America white listed to protect them from infection as were test machines and affiliates in the criminals’ network.

Ziv Mador, director of security research at Trustwave SpiderLabs, explained that the crooks behind the assault had used the same server in Moldova associated with a previous Zeus-powered scam, which was detected in August 2010. This operational security mistake allowed his analysts to obtain access to logs and other information that allowed them to profile the attack.

Trustwave found that the money thieves managed to infect approximately 30,000 PCs, the majority of which are in the UK. The malware used more advanced cloaking techniques than the previous assault so that it could communicate with command-and-control servers while remaining undetected. In addition, the 2011 attack was on a greater scale than its 2010 predecessor and involved several affiliates, each launching bots of their own.

Detection rates of the Trojan by anti-virus software throughout the run of the attack was low and consistently under 20 per cent, according to Mador. The crooks tweaked the malware delivered via the attack every couple of days in order to outpace detection.

The brains behind the fraud

“The unique thing about this attack was the algorithm to mask transactions,” Modor told El Reg regarding the way in which the thieves siphoned cash from victims’ accounts. “The cybergang maintained a database of money mules and they wouldn’t use a money mule again, at least until a transaction had cleared. There was a lot of automation.”

The 2011 attack was carried out using the Smoke Loader tool, which centrally manages the network of compromised computers, as well as the Blackhole exploit kit; the 2010 attack relied on the less sophisticated Elixir toolkit. Each kit tries to automatically install a payload of malicious software when a victim visits a booby-trapped website by exploiting security holes in web browsers, Java runtimes, Flash players and other software.

Trustwave SpiderLabs handed its research to UK police last year. It published a series of articles into the technical details of the attack after getting the go ahead from cops, who were satisfied that disclosing this information would not compromise their investigation.

It is unclear whether any arrests have been made over this particular scam, which is all too commonplace.

The blog posts by Trustwave SpiderLabs on Zeus can be found here: part 1, part 2, part 3, part 4 and part 5.

Each is full of technical descriptions and code analysis for those that way inclined.

Meanwhile, Microsoft has named two ringleaders in a banking scam that relied on the Zeus Trojan: Ukranian nationals Yevhen Kulibaba and Yuriy Konovalenko, who are serving time in UK prisons following convictions last year and now face possible US extradition proceedings.

McAfee has also published details of a £60m attempt to target the bank accounts of the well-heeled. Operation High Roller used SpyEye and Zeus, man-in-the-browser techniques and automation comparable to the Zeus caper chronicled by Trustwave SpiderLabs, but was arguably even more sophisticated. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/05/trustwave_zeus_analysis/

Facebook: Our phone app DID seize your email

Facebook has admitted its mobile app altered phones’ contacts books to use @facebook.com addresses.

The hijack stems from a flaw in the website’s design and the decision to provide every user with an @facebook.com handle that forwards to their Facebook message inbox. These addresses are now shown on the site’s Timeline to encourage their use.

A bug in the Facebook contacts API caused the mobile client to download and save the most recently added email address, rather than the account default, when synchronising a user’s friends list and the phone’s contact book. Because the “most recent” was the Facebook address, punters’ contacts were rewritten and their email rerouted as a result.

Reports of missing messages were, as predicted, down to mails from non-friends being filed away in the “Other” mailbox on the social network. That’s a feature which must surely annoy anyone using Facebook groups (messages from other group members get similarly tucked away) but it’s really a result of one not having enough mates.

Despite overwriting personal address books and hiding received emails, Facebook is anything but contrite. The official statement from the company explains that “for people on certain devices, a bug meant that the device was pulling the last email address added to the account rather than the primary email address” without any obvious admission of whose bug that was.

It was Facebook’s bug.

Team Zuck says it will have a fix in place first thing on Thursday, after which contact lists will automatically return to using the default email address – assuming the affected users still have the Facebook app installed and set up to synchronise. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/04/facebook_contacts/

Border Agency comes out with another e-Borders deadline

The government has defended its under-fire Border Agency after MPs blasted the e-Borders passenger-scrutinising system as broken and its £9m iris scanners a waste of money.

The written response to a Parliamentary select committee’s report on the agency does make some concrete promises including extending the e-Borders technology to cover maritime and railway passengers by 2014.

The traveller identification project has slipped some notable deadlines: by July 2011, the e-Borders system was collecting details of 55 per cent of passengers and crew on airlines, with no coverage of ferries or trains. The original target was to collect 95 per cent of passenger and crew details from everywhere by December 2010, and that could take another 2 years from now.

“We believe that the technical ability to collect data from the rail and maritime sector can be delivered by December 2014,” the government report stated, although officials haven’t worked out a way to deal with the data yet. “We are working closely with these sectors, and European partners, to find an operationally viable way to capture this data.”

In response to the lack of confidence in e-Gates evinced by Border Agency staff – as well as the complaints from frustrated travellers – the government reiterated that the smart chip-checking gates are fine, and made some commitments to step up communications with front-line staff. They added that they’d improved the servicing contract for the eGates:

We work closely with our suppliers to ensure we provide a good e—Gate service and we have recently improved our service management contract to a 24/7 service. The resilience of the e—Gate system is achieved by having banks of e—Gates that allow the service to continue even when one gate develops a fault.

The government also batted off criticisms that the figures and data coming out of the Border Agency was so opaque and contradictory that even the agency’s own CEO couldn’t understand it, promising to be as transparent as possible.

And as for the £9m spent on iris scanners – withdrawn this year – and the stored eye scans of 5 million people who used them, the government repeated that both would be decommissioned this year:

The lifespan of any IT equipment is finite. IRIS is planned for closure because the system is close to the end of its useful life. IRIS images (not retinal scans), along with all personal data, will be destroyed six months after de—commissioning.

The Whitehall bods stuck to their story that the data gathered from the iris scanner trials was useful in helping them decide not to use Iris scanners any more: “We are currently developing a strategic plan for automation but it is likely that IRIS as a biometric will not be used.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/04/government_responds_to_border_agency/