STE WILLIAMS

Wikipedia founder Jimmy Wales has got over 69,000 signatures on a petition to save a 24-year-old Briton from extradition to the US.

Wales wants British Home Secretary Theresa May to save the youngster from being sent to the US, where authorities want to try him for copyright infringement. The Wiki-daddy sees the plight of O’Dwyer as a test case for the copyright-censorship debate:

The internet as a whole must not tolerate censorship in response to mere allegations of copyright infringement. As citizens we must stand up for our rights online.

Wales lists out his objections to extraditing O’Dwyer:

I’m concerned about this case because O’Dwyer is not a US citizen, his site (TVShack.net) was not hosted there, and most of his users were not from the US. I don’t understand why America is trying to prosecute a UK citizen for an alleged crime which took place on UK soil. If there was a crime it should be investigated and tried here in the UK, not in the US.

Because Wales is not a UK citizen or resident, he cannot use the UK government’s official epetition site: epetitions.gov.uk. Petitions that get at least 100,000 signatures on the government site are considered for Parliamentary debate: there seem as yet to be no official epetitions for O’Dwyer. The Change.org petition seems to be an awareness-raising exercise.

We note that there is another petition related to Jimmy Wales on Change.org, though not initiated by the great man himself. The petition ‘Replace the image of Jimmy Wales with that of a golden retriever‘ came about in response to his annual fundraising campaign which often features images of his face.

“We believe that replacing his face with that of a becoming and equally plaintive Golden Retriever would negate the offputting factor, and in fact increase the appealing factor to a significant degree,” the petition states. However it has only received 14 signatures and is now closed. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/27/jimmy_wales_richard_odwyer/

Updated An FBI sting operation against an underground carding forum has resulted in 24 arrests.

The Carder Profit forum had been run by undercover Feds for the last two years, yielding intelligence that resulted in arrests in eight countries.

The sting – dubbed “Operation Card Shop” – began in June 2010 when the FBI itself set up the Carderprofit.cc forum, which enabled discussion between members relating to the trade in credit card details and compromised personal information. The underground site was set up by the Feds to attract users of similar forums and thereby allow monitoring of their criminality. According to a canned statement from SOCA, the website had approximately 2,000 registered members when it was taken offline last month.

Those arrested include a man purported to be “JoshTheGod”, leader of the UGNazi black-shirt hacking crew. According to the allegations in the complaint – which has been unsealed by the court – Federal investigators charge that Mir Islam, of Manhattan, was JoshTheGod. The FBI says that Islam, who is alleged to have founded Carders.Org – another carding forum – was arrested after he attempted to withdraw funds from an ATM using counterfeit credit cards supplied to him by an undercover FBI agent posing as a fellow cybercrook.

The FBI seized the web server for UGNazi.com, and seized the domain name of “Carders.org” – taking both sites offline, following the arrest on Monday.

In total, 11 arrests were executed in the US while a further six arrest warrants were served in the UK. Two further suspects were arrested in Bosnia, and others were cuffed in Bulgaria, Norway, and Germany.

Two additional defendants were arrested in Italy and Australia.

Prosecutors charge that the suspects plotted on Carder Profit to run a “breathtaking spectrum of cyber schemes and scams”. Individuals sold credit cards by the thousands as well as casually offering “every stripe of malware and virus to fellow fraudsters”, according to Manhattan US Attorney Preet Bharara.

Other frauds included buying and selling stolen identities, counterfeit documents, sophisticated hacking tools and other contraband. Feds describe the operation as the biggest ever international crackdown on carding crimes to date.

Access to the Carder Profit Forum, which was taken offline in May 2012, was limited to registered members. Various membership requirements were imposed to restrict site membership to individuals with established knowledge of carding techniques. For example, at times, new users were prevented from joining the site unless they were recommended by two existing users, unless they paid a registration fee.

A DoJ statement on the case can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/27/carder_forum_fbi_sting/

Crypto boffins have developed an attack that’s capable of extracting the protected information from hardened security devices such as RSA’s SecurID 800.

The research (PDF), developed by a group of computer scientists who call themselves Team Prosecco – due to be presented at the CRYPTO 2012 conference in August – is a refinement of existing techniques. But the big news is that this attack is capable of extracting information in just 13 minutes, instead of hours.

Romain Bardou, Riccardo Focardi, Yusuke Kawamoto, Lorenzo Simionato, Graham Steel and Joe-Kai Tsay say that the attack works against a variety of devices that protect access to computer networks or digitally sign e-mails. The side-channel attack also works against RSA’s SecurID 800 and many other devices that use PKCS #1 v1.5 padding mechanism, including electronic ID cards such as those issued by the government of Estonia as well as smartcards and USB tokens, the reserachers claim.

Aladdin’s eTokenPro, SafeNet’s iKey 2032, Gemalto’s CyberFlex, and Siemens’ CardOS are among the technologies vulnerable to the attack, they write. The Siemens device took 22 minutes to crack, while the Gemalto withstood attacks for 89 minutes.

The attack relies on exploiting the encrypted key import functions of a variety of different cryptographic devices. Imported ciphertext is subtly modified thousands of times to gradually produce clues about the targeted plaintext stored inside a cryptographic wrapper by analysing error codes – an approach called a “padding oracle attack”. The approach refines an attack originally developed by cryptographic researcher called Bleichenbacher.

RSA downplayed the practical significance of the attack. “While the research is scientifically interesting, it does not demonstrate a new or useful attack against RSA SecurID 800,” a spokesman told El Reg.

He added that the attack this does not affect SecurID tokens in general and only represents an optimisation of previous attacks against PKCS#1 v1.5, an older standard that is still supported by many smart card devices, even though it has been superseded.

RSA published a blog post on Tuesday night explaining its response to the cryptographic research in greater depth here. The security firm was at pains to emphasise that the attack does not allow an attacker to compromise private keys stored on the smartcard, only the contents of any encrypted data it might hold. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/27/smartcard_crypto_attack/

Security researchers have uncovered a sophisticated, multi-tiered financial fraud ring that may have defrauded businesses, wealthy individuals and banks of tens of millions of dollars.

Operation High Roller bypasses multi-factor authentication technology employed by banks to attempt fraudulent transactions of euro,60 million ($80m) worldwide since the scam began operating at the start of the year, according to security researchers from McAfee and Guardian Analytics that uncovered the fraud.

Analysts from the two firms reckon the fraudsters targeted at least 60 banks and financial institutions of varying sizes. The figures of attempted financial fraud are based on the analysis of only a few European-based servers linked to the scam and the true figure of attempted fraudulent transactions is likely to be much higher that the $80m base estimate cited by McAfee.

Banking fraud using Zeus and SpyEye malware to compromise online bank accounts, tied in with local money-mules to compromised accounts, is all too commonplace.

Operation High Roller added a number of innovations to this basic scam including techniques to bypasses physical “chip and pin” authentication, automated mule account databases, server-based fraudulent transactions, and attempted transfers to mule business accounts as high as €100,000 ($130,000).

Initial reconnaissance and infection of victims in Operation High Roller was normally carried out using a customised version of the SpyEye banking Trojan toolkit. Less ubiquitous variants of the ZeuS cybercrime toolkit were deployed. Operation High Roller targeted at least a dozen banking groups that use active and passive automated transfer systems.

“Where transactions required physical authentication in the form of a smartcard reader (common in Europe), the system was able to capture and process the necessary extra information, representing the first known case of fraud being able to bypass this form of two-factor authentication,” the researchers note.

The scam targeted high balance accounts held by either businesses or well-heeled individuals.

Compromised accounts were systematically siphoned using automated transactions. Instead of using traditional man-in-the-browser attacks on the victim’s PC, instructions to compromised PCs came from cloud-based servers maintained by the as yet unidentified crooks behind the scam. Instead of using multi-purpose botnet servers, the cybercrooks behind High Roller relied on purpose-built and dedicated servers to process fraudulent transactions.

These innovations allowed the fraudsters to achieve a “high level of automation that captures one-time passwords, checks account balance, initiates transactions, and checks a mule database to find an active mule account, all without fraudsters’ active participation,” Guardian analytics explains.

The fraud involved a relatively small number of attacks on high-balance accounts. Fraudsters have been at pains to carry out the fraud as surreptitiously as possible. After the transaction, the malware will erase confirmation emails, prevent printing of statements, and change transaction values to match what the victim expects to see.

The banking fraud scam ring principally targeted victims in Europe, but it also hit victims in further flung locations including Colombia and the US.

A report, Dissecting Operation High Roller, explaining the elaborate scam in greater depth, can be found here (PDF). ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/27/automated_banking_scam/

Online booking site Orbitz has run into PR problems with an experiment in differentiated selling between Apple and PC users.

Analysis by the Wall Street Journal showed that on Orbitz’s basic search Apple accounts were shown hotels at the pricier end of the market, costing an average of 30 per cent more than those offered to PC users. Naturally some sections of the media are up in arms because this sounds sinister, but actually it makes business sense.

Last month Orbitz CEO Barney Harford wrote a USA Today piece that explained the situation. The company’s analysis of 750TB of its data showed that Apple users coming to its website were 40 per cent more likely to book at the top end of the hotel room market with a four or five star room. Consequently it was reflecting that in its rankings.

It also knows that the first results it puts up are the most likely to be used, for the unstated reason that people are generally lazy. Harford noted that 90 per cent of its customers reserved rooms displayed on the first page of their searches, with a quarter picking the first hotel on the list. If Apple users pay more, it is logical and good business sense to organize search in this way.

Orbitz is, after all, a business. It makes its money from bookings and the more expensive the better as far as it is concerned. Apple users generally spend more for their technology than other computer buyers and are, on the whole, wealthier. The booking service’s practice might make Apple users feel put upon, but there’s nothing compulsory in these listings and they are free to find cheaper options if they prefer, something Harford has confirmed on Twitter.

Nevertheless, plenty of Apple users have taken to Orbitz’s Facebook page to protest at the apparent injustice of having to sort their choices by price. Maybe they should Think Different about the whole issue. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/26/orbitz_apple_pricing/

“Repeated failures” to protect customer data have led the FTC to file a data breach lawsuit against hotel operator Wyndham Worldwide, whose brands include Ramada Days Inn, Travelodge, Super 8 and Howard Johnson.

According to Reuters, the US regulator alleges that Wyndham’s slack security “led to hundreds of thousands of consumers’ payment card information being exported to an Internet domain address registered in Russia.”

The data breaches occurred between 2008 and 2010, with more than 600,000 accounts ultimately compromised. The agency says an unspecified number of customers had reported fraudulent transactions against their cards.

The FTC is also alleging that the hotelier made “deceptive claims” about its privacy policy. It puts the ultimate cost of the breaches at $US10.6 million.

The agency’s complaints also include that Wyndham failed to employ strong security measures (such as complex passwords), and that it stored credit card details as plain text.

According to the LA Times the company will contest the allegations, and says it always notified customers when breaches occurred.

Its statement says: “We regret the FTC’s recent decision to pursue litigation, as we have fully cooperated in its investigation and believe its claims are without merit.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/26/wyndham_data_breach_lawsuit/

The Director General of MI5 said that both business and government was on the front line of cyber attacks – and that assaults by both criminal hackers and foreign governments had reached an industrial scale.

Delivering Lord Mayor’s Annual Defence and Security Lecture in London last night, Jonathan Evans revealed that MI5 is investigating cyber attacks against more than a dozen companies. He added that one major (unnamed) London business had suffered £800m in losses following an attack.

Britain’s National Security Strategy ranks cyber security alongside terrorism as a “tier-one security challenge faced by the UK” for good reason, Evans explained.

“Vulnerabilities in the internet are being exploited aggressively, not just by criminals but also by states. And the extent of what is going on is astonishing – with industrial-scale processes involving many thousands of people lying behind both state-sponsored cyber espionage and organised cyber crime,” Evans warned.

“This is a threat to the integrity, confidentiality and availability of government information but also to business and to academic institutions. What is at stake is not just our government secrets but also the safety and security of our infrastructure, the intellectual property that underpins our future prosperity and the commercially sensitive information that is the life-blood of our companies and corporations.”

As the internet extends its reach beyond computers and servers to cars, traffic management systems, ATMs and industrial control systems, the scope of threats is only likely to increase, said Evans. He said that to date, terrorists had made use of cyber attacks as a weapon but said it could happen in the future.

“So far, established terrorist groups have not posed a significant threat in this medium, but they are aware of the potential to use cyber vulnerabilities to attack critical infrastructure and I would expect them to gain more capability to do so in future,” he said.

MI5 (Military Intelligence, Section 5) works with GCHQ, the Department of Business Innovation and Skills, the Department for Energy and Climate Change and also with law enforcement – through the Centre for the Protection of National Infrastructure – to respond to cyber security threats and disseminate best practice. The intelligence agency boss said that the private sector had a key role to play in tackling cyber crime, saying businesses could help make the UK more resilient to cyber attacks.

Evan’s speech (transcript here) also covered the threat of terrorism more generally and as related to the upcoming Olympics. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/26/mi5_cyber_security/

Russian police have arrested a 22-year-old man suspected of running a bank fraud network that infected six million machines, raking in an estimated 150 million roubles ($4.5m or £2.9m) in ill-gotten gains in the process.

The unnamed suspect, who is alleged to be the hacker known by the online nicknames “Hermes” and “Arashi”, is suspected of using variants of Carberp Trojan to establish networks of compromised PCs, and subsequently renting them out to other cybercrooks (mostly in Moscow and St Petersburg). The online identity “Hermes” has been linked with the process of embezzling funds as well as malware distribution, Russian cops said. Most of the victims of the embezzlement were Russian businesses and consumers, a key factor that explains why Russian law enforcement aggressively followed up the case.

Carberp first emerged on the online banking fraud scene around two years ago as a competitor to the dominant financial malware platforms, Zeus and SpyEye.

A statement by the Russian Interior Ministry (MVD) said the arrest of the suspect follows a 10-month long investigation, which was led by officers from Russia’s MVD “K” Administration and assisted by Russian anti-virus firm Dr Web.

The interior ministry alleged that the suspect had used the proceeds of these crimes to buy a “luxurious house in one of the resorts in Russia and expensive premium-class foreign cars”, according to an English language translation of the statement. The ministry said the suspect laundered the remaining funds through legal enterprises. The man in custody faces charges based on violation of three articles in Russia’s criminal code, covering financial fraud, malware distribution and computer hacking offences.

Last week’s developments follow the arrests of a group of eight men suspected of making millions in electronic banking fraud using the Carberp Trojan and other strains of malware by Russian police back in March. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/26/carberp_trojan_suspect_arrest_russia/

Mac computers can be buggy, Apple has finally admitted. Two days ago the firm quietly pulled the claim that the iOS PCs are immune to viruses from its website. The purveyor of shinier-more-expensive desktops has replaced its former claim with the more cautious statement that Macs are “built to be safe”.

The change was made to Apple’s website on Sunday, according to Sophos. Apple’s site now lists features which make Macs “safer” – including download alerts, security updates and data encryption.

The previous write-up claimed: “It doesn’t get PC viruses. A Mac doesn’t get the thousands of viruses plaguing Windows-based computers.”

Macs were notably breached by the Flashback Trojan early this year, which flourished in the absence of any action on Cupoertino’s part, swelling into a zombie army of 650,00 Mac machines. Apple eventually grudgingly admitted that the infection existed and came up with a fix. Dr Web has a timeline here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/26/apple_computer_virus/

Silver surfers are more switched on about security than youngsters, even though the 18-25 age group are generally considered a more tech-savvy generation.

Young adults who have been around computers all their lives tend to prioritise entertainment and community over security and privacy, according to a new survey.

The survey of more than 1,200 PC users, sponsored by Check Point Software, found that 50 per cent of 18-25 age group (Gen Y) respondents have had security issues in the past two years compared to less than half (42 per cent) of those from the group aged between 56- to 65-year-olds. Gen Y users had more security problems in spite of expressing greater (perhaps misplaced) confidence in their supposed security knowledge.

More than that 78 per cent of Gen Y respondents fail to follow security best practices. By comparison, those approaching retirement were twice as likely to protect their computers with additional security software (paid antivirus, third-party firewalls, or integrated security suites), according to results from The Generation Gap in Computer Security survey (PDF). This leaves their sensitive data – such as tax records, financial info, and online passwords – at a greater risk of attack.

Only 31 per cent of Gen Y respondents ranked security as the most important consideration when making decisions about their computers in comparison to 58 per cent of Baby Boomers (56- to 65-year-olds). Gen Y prioritised entertainment and community above security, the survey found. Young adults (45 per cent) are more likely than silver surfers to view security software as being “too expensive”.

“Growing up in the digital age, Gen Y may appear to be a more tech-savvy generation, but that does not translate into safer computer and online practices,” said Tomer Teller, security evangelist and researcher at Check Point Software Technologies.

“Gen Y tends to prioritise entertainment and community over security, perhaps due to overconfidence in their security knowledge. For example, they’re more concerned about gaming or other social activities than their online security. They also have less sophisticated security software, and hence have reported more security problems than other groups, such as Baby Boomers.”

Check Point recently launched ZoneAlarm Free Antivirus + Firewall as a combined security suite. It also sells a range of paid-for products, principally but not exclusively to business, which means that the firm has a vested interest in highlighting consumer security mistakes. That doesn’t mean it’s wrong about tearaway young adults and lax security, however. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/26/gen_gap_security_survey/