STE WILLIAMS

CCWF2012 A European Commission director has said that it shouldn’t really matter where Europe’s data is stored, as long as it’s secure and protected.

Megan Richards, acting deputy director general of Information Society and Media and also part of the Converged Networks and Services directorate, said it wouldn’t necessarily be a problem if European data was held in data centres in the US.

“Theoretically, it shouldn’t matter where data is held as long as our rules apply,” Richards told The Reg at the Cloud Computing World Forum in London. “The legislation in the US is not so different from the legislation we have in the EU.”

Richards was talking about the new data protection legislation currently making its way through the European Parliament, which she is hoping to see implemented in the next two-and-a-half years.

“It usually takes a year to go through Parliament, usually,” she emphasised, “Then, after adoption, it’s supposed to come in in two years.”

The new data protection legislation is important to the European Cloud Computing Strategy because it will mean that all member states have the same rules instead of the current situation, where each country has adapted the less-binding directive in their own way.

“The advantage of legislation is that it applies to everyone,” Richards said.

The cloud strategy is another thing that’s expected to be adopted soon; at the moment it’s still being discussed at various levels, according to Richards. But she said that cloud was very important to Europe, especially in the current economic crisis.

“We really need to drive growth and jobs in the future,” she said. “One of the pillars of the EU 2020 strategy is the digital agenda, which has many actions to push growth forward in Europe, and we think cloud has great potential.”

Richards reckons cloud computing has the potential to deliver €700bn (£564bn) of economic benefit in the five biggest European economies and generate five million new jobs in the five largest member states.

But getting the cloud moving in Europe requires better broadband rollout, more standardised legislation and less fragmentation in markets, she said.

“That’s what cloud providers need,” Richards added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/13/ec_cloud_data_anywhere/

While I’m happy to join in the general outrage about intrusions on our privacy, the metaphorical 72-point front-page headlines about Google and Apple display a deep ignorance about the existing, common, mundane uses of aerial imaging.

When people add the words “military”, “grade”, “spy” and “imaging” into a story also containing the words “Google” and “Apple”, the main game is to sprinkle some search engine optimization fairy-dust into the piece as a hit magnet and/or click-collector thanks to a scary headline.

Here’s an example: Apple and Google, trying to out-map each other, are reportedly seeking “military grade” kit (says the Daily Mail and others) for aerial photography “able to scan objects down to four inches wide” (as ZDNet puts it), taken by “spy planes” (thank you to Tech2).

Is it instrusive? Certainly. Is it smart for a serial privacy invader like the Chocolate Factory and a conscienceless monolith like Apple to race each other to find nude sunbathers in their own backyards, all the world over? Certainly not.

Is it new technology? Nope. Is your place already in a high-res map captured with high 3D accuracy? Almost certainly.

“Military grade” often means “someone sold the kit to the military once”, or “someone hopes to sell the kit to the military”, or “this kit passed some vibration tests” and has no bearing on either the capability of aerial photography today, or who takes the most photographs.

If you don’t believe me, head to the NSW Department of Lands and take a look at the aerial photographs that already exist for the completely mundane purpose of survey information. Or, if you don’t want to do that, look at the photo that I downloaded.

Arrow indicates a four-inch feature captured in an aerial photograph available to the public.

Copyright: NSW Department of Lands, 2012

I haven’t invaded anybody’s privacy: as you can see, there are no humans in the photograph, and anyhow, it’s my house and I figure I can publish this pic as long as I respect the Department’s copyright (permission is given when you access the system).

In this quite mundane photograph, there’s an object “four inches wide” or thereabouts. I’ve even provided a pointer in the pic: a pipe running from the gutters to the water tank, and it’s about four inches wide.

(Note: this image has been shrunk to fit this page).

What about the other exciting angle to the story, that all this “military grade” stuff is going to build 3D models of cities?

Take a read of this, which describes LIDAR capture of Australian coastlines, to a vertical resolution of 10-15 cm (or, roughly – guess what? – four inches).

The kind of data that’s got people yelling “military spy technology!” is already routine (if expensive to buy). What’s cool (if that’s the right word) or at least new is the ability to combine the 3D models with realistic images, so that your Big Ben looks like you expect.

In other words: neither Apple nor Google are producing anything new by way of data collection. The “new” privacy invasion, if there is a new one, concerns who is collecting that aerial data, and the uses they intend for it. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/13/google_apple_end_privacy_forever/

A vulnerability in F5 kit first announced in February may be in the wild, with code posted to Github purporting to be an exploit.

The original advisory stated that vulnerable installations of F5’s BigIP and other systems allowed an attacker to log in as root, because the vulnerability exposed the device’s SSH private key. F5 responded earlier this month.

Since it’s only seven days since F5 issued its advisory – and the patch – it’s likely that unpatched systems still exist.

F5 describes the issue as “A platform-specific remote access vulnerability has been discovered that may allow a remote user to gain privileged access to affected systems using SSH. The vulnerability is caused by a configuration error, and is not the result of an underlying SSH defect.”

Today, exploit code has been posted to Github. That code purports to gain remote access to some of the affected F5 systems – its BigIP devices.

The vulnerability can be addressed either by users upgrading to a non-vulnerable version, or reconfiguring SSH access (instructions are provided at the F5 link).

The Register has sought comment from F5. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/13/f5_kit_metasploit_exploit/

McAfee has upgraded its enterprise Cloud Security Platform and activated the first in a series of integrations with parent company Intel’s identity management systems.

The security company has beefed up data loss systems to cover email and web gateways and added in a simplified management control and reporting panel that allow common policy and control settings across hybrid clouds and on-premises systems. New context-aware software locks systems down further and provides real-time feedback.

Mobile users are also getting an update, with web protection software that reroutes laptop traffic through either the company’s own web gateway or via a cloud provider to ensure security policies are consistently followed. The varied working styles and locations of mobile workers increases the likelihood of a security breach, Anne Aarness, McAfee senior product marketing manager, told The Register.

McAfee’s ePolicy Orchestrator (ePO) administration is also getting a major upgrade to incorporate Intel’s cloud single sign-on (SSO) technology, which sets up a secure portal for individual users to access cloud applications, built on Salesforce’s Force.com platform.

Cloud SSO has a password generation application that works with Windows, Android, iOS and RIM for endpoints and allows a single password to manage authentication across all platforms and applications. Users get a single portal showing them what applications are available.

Intel is claiming hundreds of cloud applications will work with the system, with more on the way. Those users with Intel hardware can also use Chipzilla’s identity protection technology that’s built into the die.

“This is the starting point in the direction of the vision of how we can make sure that the transaction from the client to the cloud are secure,” Vikas Jain, director of product management for application security and identity products at Intel, told The Register last month. “This is just phase one of that and more contextual elements will come in the future.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/12/mcafee_intel_cloud_security/

Credit and debit card processor Global Payments has warned that additional confidential information on its servers may have been compromised in the hacking attack earlier this year that saw around 1.5 million credit card details snatched.

In a press call, company CEO Paul Garcia said that subsequent investigations internally and by federal authorities into that attack have shown that confidential information submitted by small merchant customers may have been compromised, although it wasn’t clear if the attackers had scanned it.

“What we initially announced did impact less than 1.5 million cards that we believed were taken by the bad guys for nefarious purposes,” Garcia said. “This is something very different. We uncovered that the bad guys may have had access.”

Garcia declined to give details on the nature of the information or the numbers of customers effected, but said that each would get $1m in identity fraud insurance paid for by the company. Credit agencies have also been informed and those at risk would be contacted. So far there was only “anecdotal” evidence of fraud on the stolen credit cards and none on the new leak, he said.

In an effort to woo back lost customers like Visa, Global Payments has drafted in an independent consultant to examine its security and data handling procedures. Some payment companies have pulled Global Payments from their data security standard (PCI DSS) list and Garcia said that his staff would then make any changes suggested in the consultant’s report and reapply for certification.

Despite the loss of revenue stemming from the attack, Garcia said that the company was sticking with its current financial forecasts for the year and expects this to be a one-time cost to the balance sheet. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/12/global_payments_id_leak/

The Information Commissioner’s Office has reopened its investigation of Google’s controversial Street View technology, after its data-collecting cars collected payload data including emails and passwords from unencrypted Wi-Fi networks.

The regulator’s head of enforcement Steve Eckersley has sent an aggressive letter to senior Google veep Alan Eustace demanding “prompt” answers to seven questions to explain why Street View was able to slurp such data.

The letter followed the US Federal Communications Commission’s findings that it seemed “likely that such information was deliberately captured” by the fleet of vehicles in the UK.

The FCC dismissed Google’s claim that a lone engineer had been responsible for slurping unsecured Wi-Fi traffic and concluded that while the company had not breached the US Wiretap Act it was guilty of obstructing its investigation.

The search giant was slapped with a $25,000 fine in April this year for wasting the FCC’s time.

Now, the ICO wants Google to explain “precisely what type of data and sensitive personal data was captured within the payload data collected in the UK”.

It is also quizzing Google regarding just when its management became aware of what data had been collected by the Street View cars.

Further, the ICO wants to know why this information wasn’t provided to the regulator when Google visited the ICO’s London office with data that had been “pre-prepared” by the company in July 2010.

The ICO is also calling on Google to explain at what point senior members of the firm were privy to software design documents that showed what type of data could be captured by its Street View cars.

It’s essentially looking for a corporate audit trail that backs up – or conflicts with – Google’s original assertions about the embarrassing payload data slurp, which the company initially denied.

Finally, the ICO cited the Data Protection Act 1998 in its questions to Google. It wants to know what measures were introduced to prevent breaches at each stage of Street View’s development and subsequent deployment.

Privacy campaigner Nick Pickles, of Big Brother Watch, told The Register this afternoon: “The Information Commissioner’s Office is absolutely right to re-open the investigation and must now take every step to get to the bottom of just how many Britons had their privacy trampled on by Google.”

“The investigation must now be pursued with the vigour sadly lacking in 2010, and every effort made to ensure that Google answers the extremely important questions that it has so far avoided,” he added, while accusing the search giant of “deliberately concealing” the truth of what happened from the ICO.

“Breaching the Data Protection Act is a criminal offence and the law should be applied to Google in the same way as any other company or individual.”

El Reg has asked Google to comment on this story, but it hadn’t got back to us at time of publication. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/12/google_investigated_by_ico_over_street_view_again/

A direct link exists between the infamous uranium enrichment sabotage worm Stuxnet and the newly uncovered Flame mega-malware, researchers have claimed.

Russian virus protection outfit Kaspersky Lab said in a blog post yesterday that although two separate teams worked on Stuxnet and Flame, the viruses’ programmers “cooperated at least once during the early stages of development”.

The smoking gun, in the lab’s opinion, is a component in an early build of Stuxnet that appears in Flame as a plugin.

The New York Times revealed this month that Stuxnet’s infiltration of Iran’s nuclear programme, and subsequent knackering of the Middle East nation’s uranium centrifuges, was a joint effort by US and Israel. The project, publicly uncovered in June 2010, was initiated by the Bush administration and continued under President Barack Obama.

Stuxnet, which notoriously exploited previously unknown security vulnerabilities in Microsoft Windows to gain access to industrial control systems, was long believed to be state-sponsored and developed by an American-Israeli alliance.

Meanwhile the Flame malware – a sophisticated data-stealing worm that has also been burning through computers in the Middle East and beyond – was active for up to two years before being unearthed by security experts in May this year. A self-destruct command was issued to the espionage virus by its shadowy handlers last week, and to us on the security desk at Vulture Central that sounds an awful lot like a James Bond mission gone wrong.

Here’s a quick rundown of what Kaspersky Lab found during its research:

• A module from the early 2009-version of Stuxnet, known as “Resource 207”, was actually a Flame plugin.
• This means that when the Stuxnet worm was created in the beginning of 2009, the Flame platform already existed, and that in 2009, the source code of at least one module of Flame was used in Stuxnet.
• This module was used to spread the infection via USB drives. The code of the USB drive infection mechanism is identical in Flame and Stuxnet.
• The Flame module in Stuxnet also exploited a vulnerability which was unknown at the time and which enabled escalation of privileges, presumably MS09-025.
• Subsequently, the Flame plugin module was removed from Stuxnet in 2010 and replaced by several different modules that utilized new vulnerabilities.
• Starting from 2010, the two development teams worked independently, with the only suspected cooperation taking place in terms of exchanging the know-how about the new ‘zero-day’ vulnerabilities.

Importantly, according to Kaspersky Lab’s investigation, the Resource 207 module – an encrypted DLL file – contained a 341,768-byte executable file named atmpsvcn.ocx that has lots in common with the code used in the Flame malware.

“The list of striking resemblances includes the names of mutually exclusive objects, the algorithm used to decrypt strings, and the similar approaches to file naming,” the security experts added.

Kaspersky Lab’s chief boffin Alexander Gostev noted that completely different development platforms had been used to craft the separate viruses.

“The projects were indeed separate and independent from each other. However, the new findings that reveal how the teams shared source code of at least one module in the early stages of development prove that the groups cooperated at least once. What we have found is very strong evidence that Stuxnet/Duqu and Flame cyber-weapons are connected,” he said.

A technical look at how researchers spotted Flame’s code nesting in the early Stuxnet version is available here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/12/stuxnet_flame_links_discovered_by_security_researchers/

A basic flaw in the password software used by MySQL and MariaDB allows a brute-force attack to bag the password and gain full root access in a few seconds, according to details published by security researchers.

MariaDB security coordinator Sergei Golubchik explained the flaw, which involves a casting error when passwords are checked using the memcmp function, giving a one-in-256 chance of access being allowed whatever the login.

“If one knows a user name to connect (and “root” almost always exists), she can connect using *any* password by repeating connection attempts. ~300 attempts takes only a fraction of second, so basically account password protection is as good as nonexistent,” Golubchik said.

He assured that gcc built-in memcmp and BSD libc memcmp are safe, but Linux glibc sse-optimized memcmp is not where memcmp() can return an arbitrary integer outside of the -128..127 range. MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, and 5.5.22 should be considered at risk.

According to testing by MetaSploit creator HD Moore, 64-bit Ubuntu versions 10.04, 10.10, 11.04, 11.10, and 12.04 are all vulnerable, as is Fedora and OpenSUSE 12.1 64-bit MySQL 5.5.23. Debian and Gentoo’s 64-bit Linux builds appear to be in the clear, as are official builds of MySQL and MariaDB (the latter released in April); Red Hat has confirmed its Enterprise Linux 4, 5, and 6 are secure.

Moore said that a quick scan of 1.74 million MySQL servers showed over 50 per cent (879,046 against 863,920) were vulnerable to the attack, and that security testers have already built software that could fully exploit the flaw.

Oracle has already dealt with this issue in its April security update, and there are separate patches for MariaDB and MySQL. Admins are advised to regard this as a priority, given the simplicity of the attack. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/11/mysql_mariadb_password_flaw/

Passwords, email addresses, dates of birth and other sensitive data have been plundered from the player databases of fantasy strategy game League of Legends.

Publisher Riot Games sent emails to its online role-players in West, Nordic and East Europe, and posted on its website, to warn that hackers had raided their account information.

Players’ data including email addresses, passwords, summoner names, dates of birth and, in some cases, real names and security QA, was stolen but financial info was safe, Riot said.

“Absolutely no payment or billing information of any kind was included in the breach,” the company promised, although it did admit that the security on the data that was stolen wasn’t that hot.

“Even though we store passwords in encrypted form only, our security investigation determined that more than half of the passwords were simple enough to be at risk of easy cracking,” Riot stated.

The gaming firm said it had now patched up the hole the hackers had exploited, and that they would use new techniques to secure data in future.

“We’ll continue to invest in security measures, including password hashing and data encryption, state-of-the-art firewalls, SSL, security ninjas, and other security measures to make your info safer,” the games firm stated. “We’ve been humbled by this experience and know that nothing guarantees the security of internet-connected systems such as League of Legends. We can simply promise to try our very best to protect your data.”

Riot advised players to change their password immediately and watch out for phishes.

In November the company claimed it had 11.5 million active monthly users for warrior’n’wizards multiplayer League of Legends, with more than 30 million gamers registered in total. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/11/league_of_legends_hack/

The Indian government is stepping up its cyber security capabilities with plans to protect critical national infrastructure from a Stuxnet-like attack and to authorise two agencies to carry out state-sponsored attacks if necessary.

Sources told the Times of India that the government’s National Security Council, headed by prime minister Manmohan Singh, is currently finalising plans which would give the Defence Intelligence Agency (DIA) and National Technical Research Organisation (NTRO) the power to carry out unspecified offensive operations.

India is also hoping to co-ordinate its defensive capabilities better, in the event of an attack which could debilitate its critical infrastructure.

The country was reportedly hit by Stuxnet, although it doesn’t appear to have caused any serious damage and was unlikely to have been a deliberately targeted attack.

With this in mind, the NTRO is likely to be called on to create a 24-hour National Critical Information Infrastructure Protection Centre (NCIPC) to monitor threats, while sector-specific Computer Emergency Response Teams (CERTs) will also be recommended, the report said.

The NTRO and Intelligence Bureau (IB) will be given responsibility for the security of various government networks, it added.

The Indian government is some way behind the US and UK in its formulation of a coherent national cyber security policy, and has been criticised in the past for its slow response to denial of service and web defacement attacks.

Most recently it has been under fire from hacktivist collective Anonymous in retaliation for it stance on illegal file sharing, while hackers from neighbouring rival Pakistan are thought to represent a constant threat.

Last month Symantec warned that the lack of security know-how among the country’s growing urban population and small and medium sized businesses is being exploited with increasing ruthlessness by criminals. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/11/india_state_sponsored_attacks/