STE WILLIAMS

Six men including three IT executives have been arrested in Tokyo in connection with an Android malware scam which netted them over 20 million yen (£160,740).

Japan’s first arrests for the crime of distributing a smartphone virus came after over 9,000 people downloaded malware disguised as an application designed to play videos, according to the Daily Yomiuri.

The group, which is also being investigated on suspicion of developing the virus, decided to distribute it on an adult site it created, presumably luring victims into paying with the promise of being able to view video content.

Once downloaded onto a user’s phone, the app displayed a message demanding payment of 99,800 yen (£803), with the notice continuing to be displayed even when the victim tried to turn the device off.

The group also allegedly nicked personal data from the phone including contact information from the address book, and stored it on a server overseas, the report added.

The news highlights the continued threat to Android-based smartphones – one which becomes more alarming for IT managers given that many such devices are being used to access corporate networks as part of BYOD initiatives.

Tokyo-headquartered security vendor Trend Micro said Android malware grew by a whopping 1410 per cent in the first half of 2011.

Although only a very small number of the 400,000+ apps on Google Play are likely to be harmful, security professionals usually advise users to avoid third party app stores and other sites where malware is more likely to lurk.

The Chinese government has even been forced to voice concerns about security issues in app stores owned by state-run operators China Mobile and China Telecom. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/18/android_malware_japan_adult_site/

The Honeynet project has picked up research by a German student to trap malware designed to spread via USB keys.

USB-distributed malware – like Stuxnet and its bloated cousin, Flame – presents problems for network-based security, since they don’t spread through the network.

The Bonn University student, Sebastian Peoplau, has now been added to the Honeynet project as Ghost-usb-honeypot, here. Like network honeypots, which emulate network clients to invite infection, the new project emulates USB flash drives to invite infection – via the USB drive rather than via the network.

The problem with trying to trap such malware is that it’s not practical to hand-test every machine in a network – especially a large network.

“We know, without having any knowledge about the actual malware … that if we plug in the USB flash drive, and wait for a sufficient time, the malware will eventually copy itself to the flash drive,” he said in a presentation in April (available on YouTube), prior to Honeynet adopting Peoplau’s ideas.

The Peoplau proposal is simply to emulate the USB drive in an image file, so that any attempt by the machine under test to write to the device can be trapped. The software loads virtual device drivers, letting Windows notify the system (including any malware that might be present) that a removable device has been plugged in.

The trapped copy of the malware can then be unloaded when the emulator is “unplugged”, and copied for analysis. Ghost-usb-honeypot’s page notes that the software is at “an early stage of development.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/17/honeynet_for_usb/

Spammers have forced the Cabinet Office to close portions of the UK’s open data website.

Comments have been disabled after the CAPTCHA gateway was smartly circumvented.

“After a long analysis of the spam in our site, we have a strong feeling that human intervention is also at play,” writes Antonio Acuna, head of the data.gov.uk project, which is designed to “open up government”.

Gordon Brown set the “open data” gravy train in motion before the last election, but the great giveaway has become an emblem of Conservative 2.0 – and a magnet for consultants and ideologues.

While opening up the data for public use is overdue, the philosophy of the project ensures a lose-lose for the taxpayer: paying for valuable assets with no income generated. While flexible licensing, for example on a per-revenue basis, would ensure value that’s captured could be returned to the nation, open data zealots insist on giving it all away for nowt.

This incoherence was reflected in a highly critical National Audit Office report in April.

But the gravy train rolls on. In addition to £30m for the quango, and a hugely expanded Cabinet Office team, the taxpayer is chucking £10m at script kiddies to create Montessori mashups with the data sets. And the new quango is hiring a chief executive – with the salary in the range of £100,000 to £150,000 according to this job posting.

How much, exactly? It’s confidential. Not all data is open, you see. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/15/spammers_1_opendata_0/

A Scottish council have said that a nine-year-old food blogger was misrepresenting her school dinners and distressing the canteen staff, by publishing a photoblog about her lunch.

The media attention caused by the photos, such as the one below was causing “distress and harm” to staff the council said.

The photos, such this one were causing distress and harm, said the council

The Argyll and Bute council have hit back strongly at claims that their dinner selection is unhealthy: justifying their decision to ban primary-schooler Martha Payne from continuing her school dinner blog NeverSeconds. They claim that the tot’s representation of her lunch was false:

Argyll and Bute Council wholly refutes the unwarranted attacks on its schools catering service which culminated in national press headlines which have led catering staff to fear for their jobs. The Council has directly avoided any criticism of anyone involved in the ‘never seconds’ blog for obvious reasons despite a strongly held view that the information presented in it misrepresented the options and choices available to pupils

The apparent emergence of an all-you-can-eat salad bar two weeks after the blog started was not a triumph for the blog, but had in fact been there all along, they claim, saying: “there have been no changes to the service on offer since the introduction of the blog.”

They clarified that they have not fully banned the blog, but have forbidden the taking of photos in the canteen.

the photographic images uploaded appear to only represent a fraction of the choices available to pupils, so a decision has been made by the Council to stop photos being taken in the school canteen.

The council asserted that they had received no complaints about the quality of the school’s dinner options for two years apart from the one received from the Payne family.

Those interested in more about the menus on offer in Lochgilphead Primary School, Scotland can be reassured that main course choices like meat or vegetarian lasagne served with carrots and garlic bread or chicken pie with puff pastry, mashed potato and mixed vegetables will served over the next few months.

The publicity achieved by Martha’s campaign has raised well over £10,000 for the local food charity that her blog supports – Mary’s Dinners. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/15/nine_year_old_school_dinner_blog_inaccurate/

American prosecutors have filed charges with a federal grand jury against accused British LulzSec member Ryan Cleary over hacking attacks on Sony, Fox, and several US hosting companies.

Cleary, 20, is already facing charges in the UK that he hacked into the website of Soca (the UK police agency charged with investigating serious crime) and several music sites as part of his involvement with the LulzSec group. He was unable to attend the US event, as he’s currently residing in a British jail cell after breaching his bail conditions by going online.

Prosecutors claim that Cleary conspired with LulzSec to use a personal botnet with tens of thousands of nodes to break into his target computer systems by identifying their security vulnerabilities and exploiting them. The charge sheet claims that in April 2011 he got into the systems of the Fox Network’s “X-Factor” show to get details on audition applicants. He then hit PBS in May, an attack that was claimed by LulzSec at the time.

The FBI claim Cleary had a busy June. He is charged with the attack (also claimed by LulzSec) on Sony Picture’s servers which stole information on the users of its website. He allegedly then set up lulzsecurity.com to publish that info and the Fox data, using resources from into US hosting companies Linode, QuadraNet, and GigeNET to do so. He took the time to DDoS the servers hosting the game “League of Legends” before turning his attentions on the British police web site on June 20, the charges claim.

Cleary, who also used the handles “Anakin,” “hershcel.mcdooenstein”, “George hampsterman”, and “ni” (he’s apparently a fan of Monty Python’s knights,) faces 25 years in prison – that is, if he ever makes it over to the States. He was one of the many people arrested after the FBI successfully turned its claimed leader Hector Xavier Monsegur, aka Sabu.

Monsegur pled guilty to hacking charges and cooperated with authorities, even turning Cleary in after the Essex boy contacted him while on bail. So far, further arrests have been made in the US, UK, and Ireland. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/15/cleary_lulzsec_hanking_charges/

Phil Zimmermann and some of the original PGP team have joined up with former US Navy SEALs to build an encrypted communications platform that should be proof against any surveillance.

The company, called Silent Circle, will launch later this year, when $20 a month will buy you encrypted email, text messages, phone calls, and videoconferencing in a package that looks to be strong enough to have the NSA seriously worried. Zimmermann says that surveillance by the state and others has increased vastly over the last few years, and privacy improvement are again needed.

“At the very least I want people, as part of their right in a free society to be able to communicate securely,” he said in a promotional video (below). “I should be able to whisper in your ear, even if your ear is a thousand miles away.”

Is this the privacy Holy Grail? (click to enlarge)

The Silent Circle package comes with downloadable applications for smartphones and computers that allows secure communication with other users. A member of the team told El Reg that the encryption architecture was “very, very good,” with some of the code coming as a result of seven years of research by team members.

Zimmerman has brought in former partner Jon Callas as cofounder (although Callas remains CTO of Entrust), along with a number of other engineering staff from PGP. Zimmermann was recently one of the original inductees into the Internet Society’s hall of fame for his work in bringing encryption to the masses through PGP.

The other two cofounders are former members of the US Navy’s Sea, Air, and Land (SEAL) unit: Vic Hyder and Mike Janke. Both run physical security businesses, and Janke is a privacy advocate and the author of the motivational book “Take Control“. Janke also reportedly has had 312 stitches, 17 broken bones, two blown-out knees and a crocodile bite scar.

PGP is the world’s most popular encryption system, in a large part because it’s free. But there’s a service element to this that needs to be paid for, and since the whole idea is to collect as little information as possible about the user, the company can’t get funding from advertising. At this price level, Silent Circle will be pitching its business at the enterprise market, particularly those traveling abroad, as well as the security-conscious at home.

While software can handle most of the work, there still needs to be a small backend of servers to handle traffic. The company surveyed the state of privacy laws around the world and found that the top three choices were Switzerland, Iceland, and Canada, so they went for the one within driving distance.

Silent Circle has recently come out of stealth mode ahead of the launch later this year and is offering a few lucky punters a chance to try out the private beta. We would imagine that a lot of people hope to try it out will have .gov or .mil associations. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/14/pgp_seal_encrypted_communications/

Supreme Court judges have rejected Julian Assange’s bid to get his extradition case reopened, which means the 40-year-old WikiLeaks founder will be sent packing from Blighty in a fortnight’s time.

However, it’s likely that Assange will now take his case to the European court of Human Rights to have one final attempt at getting his extradition to Sweden – where he is sought for questioning over allegations of sexual harassment and rape – overturned.

He had hoped to get another chance in the Supreme Court, after his lawyer Dinah Rose requested the stay of extradition by arguing that the use of the 1969 Vienna Convention on the Law of Treaties, which helped determine that Assange should be returned to Sweden to face questioning from prosecutors in that country, had not been previously cited in court.

Today, the justices – in a retort critical of Rose – outlined why they had dismissed the Australian’s bid to reopen the extradition case.

Had Ms Rose been minded to challenge the applicability of the Convention, or the applicability of State practice as an aid to the construction of the Framework Decision, or the relevance and admissibility of the material relating to State practice, she had the opportunity to do so. She made no such challenge. Her submissions were to the effect that caution should be exercised when considering the effect of State practice.

They said that Assange’s application was “without merit and it is dismissed.”

Assange has been given two weeks to pack his bags. Supporters are already attempting to raise cash for a defence fund. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/14/julian_assange_application_to_reopen_extradition_case_dismissed_by_supreme_court/

Legislation relating to communications data will be yanked out of the existing Regulation of Investigatory Powers Act (RIPA) and brought under a new regulatory framework if the Home Office’s plans to step up the monitoring of internet traffic passes through Parliament.

Home Secretary Theresa May unveiled her proposals for the UK’s rehashed internet super-snoop law today, which immediately led to the Home Office’s website collapsing.

At time of writing, the draft 117-page Communications Data Bill was unavailable online.

The Home Office proposed that the bill, which will now be scrutinised by a joint committee of MPs and peers as well as by the Intelligence and Security Committee (ISC), would “replace the dozens of currently available powers with a single piece of legislation”.

The ISC said: “We will take evidence and examine the rationale behind the proposals and how rigorous the safeguards are to ensure the privacy of individuals.”

On RIPA, the Home Office said in its draft bill:

Law enforcement agencies – the police, the Serious and Organised Crime Agency and Her Majesty’s Revenue and Customs – account for the overwhelming majority of annual requests for access to communications data under the Regulation of Investigatory Powers Act (‘RIPA’) 2000.

They have access to the full range of communications data. Other authorities with investigative or public protection responsibilities are able to access communications data, but most do not have access to more sensitive forms of communications data, for example data regarding the location of a mobile phone.

Local authorities account for less than 0.5 per cent of total annual RIPA requests for communications data. Following the implementation of the Protection of Freedoms Act, they will only be able to access this data if approved by a magistrate.

Communications technologies and services are changing fast with more communications taking place on the internet using a wider range of services, including voice over internet, online gaming and instant messaging.

Communications data from these technologies is not as accessible as data from older communications systems like ‘fixed line’ telephones. Although some internet data is already stored by communication service providers, other data is neither generated nor obtained because providers have no business need for it.

This means that the police are finding it increasingly hard to use some types of communications data to investigate crime. To address this growing gap, the proposals set out here will require some communications service providers to obtain and store some communications data which they may have no business reason to collect at present.

Nothing in these proposals will authorise the interception of the content of a communication. Nor will it require the collection of all internet data, which would be neither feasible, necessary nor proportionate. We will extend existing safeguards regarding data retention, access and oversight. And we will remove other statutory powers with weaker safeguards under which communications data can currently be accessed by public authorities.

The proposed regime would replace Part 1 Chapter 2 of the RIPA and Part 11 of the Anti-Terrorism Crime and Security Act 2001. A move that would represent a major rejig of current surveillance law.

As The Register reported earlier, ISPs will be expected to retain communications data by logging every website visit, as well as any access made by its customers to email accounts, Facebook and difficult-to-tap tech like peer-to-peer communications such as Skype for a minimum of 12 months.

But the Home Office will foot the bill, which it estimates will cost at least £1.8bn over the course of 10 years.

It added: “Benefits from this investment are estimated to be £5bn – 6.2bn over the same period.”

The £1.8bn figure is only marginally less than the one floated by the previous Labour government – prior to it abandoning its own Internet Modernisation Programme (IMP) in light of protests against such an unloved legislative overhaul.

ISPs will be able to appeal to a technical advisory board under dispute procedures if they complain that such requests for data are “unnecessarily onerous”.

Secretary General of UK ISP trade group, ISPA, Nicholas Lansman told El Reg:

ISPA has concerns about the new powers to require network operators to capture and retain third party communications data. These concerns include the scope and proportionality, privacy and data protection implications and the technical feasibility.

Under the proposals, the police, the National Crime Agency, spooks and the taxman would be able to “apply for access” to such data, the Home Office said.

It added:

“Hundreds of public bodies – including local authorities – currently have access to communications data, but will not be covered by the new laws unless Parliament agrees their use is vital to tackling crime and protecting the public.”

However, only a tiny number of comms data requests originate from local councils – so such a proposed change is likely to have a minimal impact. May confirmed this morning that 500,000 such requests from all British authorities are made each year. Arguably, that figure will balloon under any Communications Data Act.

The Home Secretary, in a canned statement, said:

Communications data saves lives. It is a vital tool for the police to catch criminals and to protect children.

If we stand by as technology changes we will leave police officers fighting crime with one hand tied behind their backs.

Checking communication records, not content, is a crucial part of day-to-day policing and the fingerprinting of the modern age – we are determined to ensure its continued availability in cracking down on crime.

The Information Commissioner’s Office (ICO) “will keep under review the security and integrity of the communications data retained,” the Home Office said.

The ICO noted such a move would be a burden placed upon its already swamped staff. It said:

If the Information Commissioner is to be in a position to ensure compliance with the Data Protection Act, in respect of security of retained personal information and its destruction after 12 months, the ICO will need appropriately enhanced powers and the necessary additional resources.

Clauses were added to the draft bill and confirmed in the Queen’s Speech, following opposition to May’s proposals from junior Coalition members, the LibDems. They include measures such as consultation requirements, data security and integrity, destruction of data and other safeguards.

LibDem MP Julian Huppert, who led his party’s charge against May’s initial plans, welcomed the opportunity to debate the draft bill out in the open, but he remains worried about certain aspects of the proposals.

“My immediate concern is Clause 1. As written, it gives the Secretary of State far too broad a power. It allows data collection exercises that are perfectly reasonable – but would also allow pervasive black boxes that would monitor every online information flow, an idea which is clearly unacceptable.

“This must be tightened up urgently. The accompanying text is much better – but I don’t think we should pass broad laws on a promise from government that they will never abuse them.

“This absolutely must be changed: it is unacceptable as it currently stands.”

A copy of the draft bill isn’t currently available via the Home Office website, which we’re informed suffered some technical difficulties. Readers can get their mitts on it here [PDF]. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/14/web_super_snoop_draft_bill_released_by_home_office/

The Purdue University team which in March published a paper identifying how rogue apps and user-tracking can sap Android batteries has followed up with research into detecting and fixing the “wakelock” bugs.

The new study is to be presented at the MobiSys conference in the UK later this month. The researchers have extended their profiling to cover 187 apps, and found that 42 of them – more than 22 percent – had some kind of wakelock bug.

The problem is simple, says Purdue professor of electrical engineering Charlie Hu: programmers are human, and make mistakes. In juggling the various APIs they need to access to wake the phone up – for example, to receive an incoming call when the phone is asleep, or to check e-mail – they can leave the phone awake after the activity and drain the battery.

The Purdue group’s previous research identified bugs in newsreader apps, advertising tracking, and even the free version of Angry Birds (which devoted one-third of its unnecessary power consumption to GPS tracking). As noted at the time, I/O is a power hog and is often badly-handled by app developers.

Hu’s group uses a modified compiler to identify no-sleep bugs in software, and claims they can identify most, if not all, such bugs. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/13/fixing_android_no_sleep_bug/

While I’m happy to join in the general outrage about intrusions on our privacy, the metaphorical 72-point front-page headlines about Google and Apple display a deep ignorance about the existing, common, mundane uses of aerial imaging.

When people add the words “military”, “grade”, “spy” and “imaging” into a story also containing the words “Google” and “Apple”, the main game is to sprinkle some search engine optimization fairy-dust into the piece as a hit magnet and/or click-collector thanks to a scary headline.

Here’s an example: Apple and Google, trying to out-map each other, are reportedly seeking “military grade” kit (says the Daily Mail and others) for aerial photography “able to scan objects down to four inches wide” (as ZDNet puts it), taken by “spy planes” (thank you to Tech2).

Is it instrusive? Certainly. Is it smart for a serial privacy invader like the Chocolate Factory and a conscienceless monolith like Apple to race each other to find nude sunbathers in their own backyards, all the world over? Certainly not.

Is it new technology? Nope. Is your place already in a high-res map captured with high 3D accuracy? Almost certainly.

“Military grade” often means “someone sold the kit to the military once”, or “someone hopes to sell the kit to the military”, or “this kit passed some vibration tests” and has no bearing on either the capability of aerial photography today, or who takes the most photographs.

If you don’t believe me, head to the NSW Department of Lands and take a look at the aerial photographs that already exist for the completely mundane purpose of survey information. Or, if you don’t want to do that, look at the photo that I downloaded.

Arrow indicates a four-inch feature captured in an aerial photograph available to the public.

Copyright: NSW Department of Lands, 2012

I haven’t invaded anybody’s privacy: as you can see, there are no humans in the photograph, and anyhow, it’s my house and I figure I can publish this pic as long as I respect the Department’s copyright (permission is given when you access the system).

In this quite mundane photograph, there’s an object “four inches wide” or thereabouts. I’ve even provided a pointer in the pic: a pipe running from the gutters to the water tank, and it’s about four inches wide.

(Note: this image has been shrunk to fit this page).

What about the other exciting angle to the story, that all this “military grade” stuff is going to build 3D models of cities?

Take a read of this, which describes LIDAR capture of Australian coastlines, to a vertical resolution of 10-15 cm (or, roughly – guess what? – four inches).

The kind of data that’s got people yelling “military spy technology!” is already routine (if expensive to buy). What’s cool (if that’s the right word) or at least new is the ability to combine the 3D models with realistic images, so that your Big Ben looks like you expect.

In other words: neither Apple nor Google are producing anything new by way of data collection. The “new” privacy invasion, if there is a new one, concerns who is collecting that aerial data, and the uses they intend for it. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/13/google_apple_end_privacy_forever/