STE WILLIAMS

A UK man jailed for hacking into Facebook has vowed to rebuild his life – and his reputation – after winning an appeal against his sentence.

Glen Steven Mangham, 26, from Acomb, near York, was jailed for eight months in February after he pleaded guilty to infiltrating the website’s internal network between April and May last year.

Mangham’s sentence was halved to four months in April after senior judges at London’s Court of Appeal ruled he had been treated unduly harshly by the trial judge at Southwark Crown Court. The decision made Mangham eligible for immediate release on the basis of time served, although he is still obliged to wear a tag.

The computer science student extracted Facebook’s source code without permission in hope of pointing out security flaws in the web giant’s blueprints. The intrusion was detected by Facebook and reported to the FBI, which passed the case over to British cops after the penetration was traced to the UK.

Blighty’s detectives further tracked the hack to Mangham’s parents’ house in York, leading to his arrest and subsequent prosecution. Mangham admitted three counts of unauthorised access to computers and unauthorised modification of computer data, contrary to the UK’s anti-hacking laws.

The undergraduate claimed throughout that his actions were motivated by a desire to help Facebook improve its security, something he had previously done with Yahoo! The prosecution rejected this rationale and pressed for harsh punishment as a deterrent.

Facebook stressed that no user data had been involved in the breach. During Mangham’s trial, representatives of the social networking firm said that the hack had resulted in investigation costs and other expenses that ran up to in $200,000 – which Mangham disputes.

In sentencing, trial judge Alistair McCreath sided with the prosecution and imposed an eight-month sentence on Mangham.

‘Super Asbo’ sentencing

However at the start of April, Mr Justice Cranston, sitting with Lord Justice Hooper and Judge Peter Rook QC at the Court of Appeal, said that Mr McCreath had erred in not giving enough weight to mitigating factors in the case, such as the lack of any attempt to Mangham to profit from his crime.

“He [the trial judge] rightly highlighted the persistence, sophistication and deliberation with which Mangham mounted his attack,” Mr Justice Cranston said, the York Press reports.

“The judge was entitled to conclude that his motive was not to inform Facebook of the defects in the system, but to prove that he could beat the system.

“In our view, the combination of the aggravating factors and mitigating factors is such that the more appropriate starting point, in our view, would have been six months, reduced to four months given the appellant’s plea. In particular, we would underline the point which the judge mentioned that the information had not been passed on to anyone and there was no financial gain involved.”

Peter Minnikin, of Harrogate firm McCormicks Solicitors, Mangham’s defence lawyers, said two grounds on which Mangham petitioned for appeal were granted.

Firstly, Mangham’s defence team successfully argued that the original sentence was “manifestly excessive” and the trial judge had failed to apply consideration over whether a suspended sentence or community order might be appropriate.

Secondly, Mangham’s previous good character was not factored into the original sentence he received, the solicitor continued.

Appeal judges also agreed that the “serious crime prevention order” applied by the trial judge against Mangham was unreasonable because his misdeeds were not serious enough to deserve a “super Asbo”.

The latter decision means that Mangham is once again free to go online and also clear to express his opinions about the case, Minnikin explained.

Mangham wasted little time following his return online to post a lengthy criticism of Facebook’s handling of his case and to tell his side of the story. The full 3,700-plus word essay is here but Mangham summarised his main gripes in this email exchange with The Reg.

Next page: He hits out at Facebook’s $200,000 allegation

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/30/facebook_hacker_appeal/

The Cyber Intelligence Sharing and Protection Act (CISPA) has been passed by the US House of Representatives, despite the threat of a possible veto by the president.

The bill would allow the government to pass on information about hacking threats to commercial companies, and allow them to share their user’s information with the government while shielding them from prosecution for doing so. Privacy campaigners and most recently the White House have come out against the bill but in the end it passed by 248 votes to 168, with a solid Republican turnout and 42 Democrats crossing the floor.

“We can’t stand by and do nothing as US companies are hemorrhaging from the cyber looting coming from nation states like China and Russia,” said the bill’s sponsor Congressman Mike Rogers, who Opensecrets.org claims received over $100,000 from companies supporting the legislation. “America will be a little safer and our economy better protected from foreign cyber predators with this legislation. I commend the bipartisan effort on this bill.

Some amendments to the original bill were passed to moderate its effects. Corporate information on users can now only be shared with the government for investigations into cybersecurity, cybercrime, protecting people from “harm”, stopping child exploitation, and the old favorite national security. However, this wasn’t enough to satisfy privacy advocates.

“CISPA goes too far for little reason. Cybersecurity does not have to mean abdication of Americans’ online privacy. As we’ve seen repeatedly, once the government gets expansive national security authorities, there’s no going back. We encourage the Senate to let this horrible bill fade into obscurity,” said ACLU legislative counsel Michelle Richardson in a statement.

All eyes are now on two competing proposals in the Senate, one sponsored by Senators Joseph Lieberman (I-Conn.) and Susan Collins (R-Maine) and the other by Republican senator for Arizona and former presidential hopeful John McCain. If CISPA is tied to one of these bills and passes, then it’s gut check time for the Obama White House.

On Wednesday the White House said the president’s advisers would recommend vetoing the bill. Then again, the White House has promised a veto before on the National Defense Authorization Act and then chickened out at the last minute. Internet rights organizations have pledged to keep the pressure up, both on the White House and on the Senate, to kill the bill.

“We’re optimistic about bringing the fight to the Senate. Once the public debate has matured we’ll see a lot more resistance to this,” Dan Auerbach, staff technologist with the Electronic Frontier Foundation (EFF) told The Register. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/28/cispa_passes_representatives/

Microsoft has smacked down a Hotmail bug that allowed hackers to lock users out of their own accounts.

Redmond took one day to slap down a glitch that allowed anyone with a Firefox add-on to remotely reset the password of a Hotmail account. The Tamper Data add-on allowed hackers to siphon off the outgoing HTTP request from the browser in real time and then modify the data.

When they hit a password reset on a given email account they could fiddle the requests and input in a reset they chose. Vulnerability-lab.com outlined the details:

Remote attackers can bypass the password recovery service to set up a new password and bypass in place protections (token based). The token protection only checks if a value is empty, then blocks or closes the web session. A remote attacker can, for example, bypass the token protection with values “+++)-“. Successful exploitation results in unauthorized MSN or Hotmail account access.

The bug seems to have been around for a while, but has recently been targeted by hackers on a larger scale. Blog whitec0de pointed out that hackers online were advertising to crack Hotmail accounts for as little as $20 (£12).

According to the vulnerability-lab.com report: Microsoft was alerted to the flaw on 20 April, and got a fix out on 21 April, one day later. They went public with the fix yesterday.

Hotmail has 364 million users, according to a comscore report from 2010. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/27/hotmail_bug_squashed/

Infosec 2012 A non-profit organisation has brought together a team of experts to tackle SSL governance and implementation issues and promote best practice.

The Trustworthy Internet Movement (TIM) is convening a task force that includes Taher Elgamal, one of the creators of the SSL protocol; Moxie Marlinspike, creator of Convergence; Ivan Ristic, director of engineering at Qualys; and other experts from Google, PayPal and GlobalSign. Ristic founded SSL Labs, a research project to measure and track the effective security of SSL on the internet.

Earlier this week, the organisation launched SSL Pulse, a service that aims to track the progress of how well SSL is implemented across top websites. The SSL Pulse dashboard, launched on Wednesday, currently indicates that only 10 per cent of the world’s top websites follow SSL deployment best practices.

Problems include sites that support weak or insecure cipher suites or those running with an incomplete certificate chain, among other shortcomings. This doesn’t necessarily mean such sites are wide open to fraud, but it does mean they might be better protected than they currently stand.

Organisations can visit the site to retrieve their SSL implementation scores and download the SSL/TLS deployment best practice guides. “Making SSL pervasive on the internet is a must in order for the web to become a safer place,” said Philippe Courtot, founder of TIM and chief exec of Qualys. “Solving the implementation and governance problem can be achieved through industry collaboration and better auditing tools that give us visibility into the root causes of these issues and how to fix them.”

The Trustworthy Internet Movement aims to develop proposals to make SSL pervasive on the web. It has set itself the tough task of fixing both the SSL and Certificate Authority (CA) ecosystems.

Ristic said he has invited representatives of browser suppliers to join the TIM taskforce, which he said aims to “raise awareness” about configuration problems and other common SSL deployment shortcomings. The group will not work in isolation from other entities working on the problem. “Tons of people doing great work,” Ristic told El Reg. “We are not looking to do coding work ourselves but may well decide to fund it.

“We want to concentrate look at the SSL threat model and raise awareness about deployment issues,” he concluded. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/27/ssl_taskforce/

The Philippine government has appealed in vain for patriotic hackers in the country to “be the bigger man” and not retaliate against China for a series of suspected attacks on university and government web sites, as the stand-off between the two countries over a set of disputed islands continues.

The Scarborough Shoal – also known as Panatag Shoal or Huangyan island – is claimed by China even though it is located just over 100 nautical miles from the Philipinnes.

Tensions over the territory reached boiling point earlier this month when Philipinne Navy officials tried to arrest Chinese fishermen for illegally fishing in the area, but were stopped when Chinese surveillance ships stepped in.

Soon after, various cyber attacks were launched at Philippine government sites, apparently from Chinese patriotic hackers.

The Department of Budget and Management website was forced offline for a “security audit” after being defaced on Wednesday, while the University of the Philippines web site was also hacked and defaced with a picture of the disputed islands named as belonging to China, according to local broadcaster GMA News.

Government spokesman Roy Espiritu told AFP that there have also been attempts at taking out government sites via DDoS attacks.

They are probing into different government domains so we can’t say how many attacks there are. But it is a lot,” he told the newswire. “The signatures [of the hackers] indicate they are from Chinese networks.”

Despite calling for restraint from Filipino hackers, Espiritu’s words were apparently not heeded, with GMA News reporting that unspecified Chinese web sites have been defaced with messages that the islands belong to the Philippines.

“These skirmishes in cyberspace are unsanctioned by either government and are largely outbursts of public sentiment by private citizens from either country regarding the current situation,” science and technology secretary Mario Montejo is quoted as saying.

“It is our job in government to seek diplomatic solutions to these issues and not let them get out of hand.”

Patriotic hacking is nothing new, of course, and has been a frequent occurrence in the Middle East recently, especially during the Arab Spring uprisings, although the Chinese are thought to have taken it to a whole new level.

It’s widely believed in intelligence circles that the Chinese government secretly condones such attacks as long as they are in the national interest and are not directed at targets inside the country.

Most recently a civic referendum held in Hong Kong to highlight the illegitimacy of the SAR’s non-democratically elected leader was disrupted after two suspected pro-Beijing-ers launched a DDoS attack against the organisers’ web site.

One potentially positive outcome from the increased level of cyber crime in the region is that the Philippine government is reportedly getting serious about the matter.

GMA said it is currently working to create a special cyber security body and is in the middle of passing an anti-cyber crime bill. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/27/philippine_china_hack_stand_off/

B-Sides HTML5 will allow web designers to pull off tricks that were previously only possible with Adobe Flash or convoluted JavaScript. But the technology, already widely supported by web browsers, creates plenty of opportunities for causing mischief.

During a presentation at the B-Sides Conference in London on Wednesday, Robert McArdle, a senior threat researcher at Trend Micro, outlined how the revamped markup language could be used to launch browser-based botnets and other attacks. The new features in HTML5 – from WebSockets to cross-origin requests – could send tremors through the information security battleground and turn the likes of Chrome and Firefox into complete cybercrime toolkits.

Many of the attack scenarios involve using JavaScript to create memory-resident “botnets in a browser”, McArdle warned, which can send spam, launch denial-of-service attacks or worse. And because an attack is browser-based, anything from a Mac OS X machine to an Android smartphone will be able to run the platform-neutral code, utterly simplifying the development of malware.

Creating botnets by luring punters into visiting a malicious web page, as opposed to having them open a booby-trapped file that exploits a security flaw, offers a number of advantages to hackers.

Malicious web documents held in memory are difficult to detect with traditional file-scanning antivirus packages, which seek out bad content stored on disk. JavaScript code is also very easy to obfuscate, so network gateways that look for signatures of malware in packet traffic are trivial to bypass – and HTTP-based attacks pass easily through most firewalls.

Additional dangers involve social engineering using HTML5’s customisable pop-ups that appear outside the browser to fool users into believing the wording on an alert box. More convincing phishing attacks can be created using the technique, McArdle said.

“The good stuff in HTML5 outweighs the bad,” he added. “We haven’t seen the bad guys doing anything bad with HTML5 but nonetheless it’s good to think ahead and develop defences.”

Web developers should make sure that their sites are not vulnerable to Cross-Origin Resource sharing, cross-domain messaging or local storage attacks, McArdle advises. Utilities such as NoScript can also help punters.

More details on HTML5 attack scenarios and possible defences can be found on html5security.org, a website devoted to the topic. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/27/html5/

Gaming studio Cryptic, the company behind Star Trek Online, Champions Online and City of Heroes, has admitted that its players’ details were lifted in an unauthorised database access two years ago.

Cryptic said in a canned statement yesterday that it had only just discovered evidence of a data breach in December 2010, during which account names, handles and encrypted passwords were gathered.

The studio said it had reset passwords and sent emails out to all affected online role-players, but it doesn’t yet know whether more sensitive information – such as real names, dates of birth, billing addresses and some digits of credit cards – were slurped.

“While we have no evidence that any other information was taken by the intruder, it is possible that the intruder was able to access additional account information,” Cryptic admitted.

The studio said it was still investigating the digital break-in and was strengthening its security systems.

“For your own security, we encourage you to be especially aware of email and postal mail scams that ask for personal or sensitive information,” it advised. “If you use the same password for other accounts, especially financial accounts or accounts with personal information, we strongly recommend that you change them.”

Cryptic specialises in free-to-play online games and was acquired by Perfect World last year. The studio had not returned a request for additional comment at the time of publication. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/26/cryptic_unauthorised_access/

An international team of cops has taken down 36 websites that were being used to shift vast quantities of stolen credit card and bank account data.

The Serious Organised Crime Agency in the UK, along with the FBI and the US Department of Justice, and agencies from Germany, the Netherlands, Austria, Ukraine and Romania pulled the sites offline.

Criminals were using these sites’ automated vending carts to sell batches of stolen private information quickly and easily.

The agencies have already recovered over 2.5 million items of illicitly obtained personal and financial data during the last two years of the operation, which they have passed on to financial institutions to prevent potential fraud. This has stopped over £500m worth of international fraud.

The sting also rounded up two men who are suspected of buying the compromised information on a large scale.

“This operation is an excellent example of the level of international cooperation being focused on tackling online fraud,” Lee Miles, head of cyber ops at SOCA, said in a canned statement.

“Our activities have saved business, online retailers and financial institutions potential fraud losses estimated at more than half a billion pounds, and at the same time protected thousands of individuals from the distress caused by being a victim of fraud or identity crime.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/26/cops_pwn_credit_data_selling_sites/

Show diary Infosec and B-Sides both came to London this week to display the contrasting faces of the information security industry.

Crowds at Infosec proceed in an orderly manner through the various exhibits

(before the cry of “Open bar!” was heard, natch)…

InfoSec Europe, in London’s Earls Court, played host to government bigwigs including Universities and Science Minister David Willetts and Information Commissioner Christopher Graham, as well as hordes of marketing suits.

B-Sides UK, by contrast, featured the elite from the UK and Ireland’s whitehat security research scene; there were no suits or ties at the Barbican, the venue of the second annual B-Sides gathering.

The absence of an upcoming general election, Icelandic volcanic ash or other travel disruption meant that there were plenty of US marketing execs and other high-profile speakers at Infosec. More than 350 firms competed for attention at Earls Court this week during the 17th edition of “Europe’s number one information security event”. The show was packed with attendees, as per every year, who take advantage of free entrance to canvass vendors on security strategy. In truth there was little or no breaking news, but Infosec remains a good place to get vendor roadmaps or see security technology in action.

Infosec show numbers seem to be holding up. Last year around 12,000 people visited the show.

The mugs, biros, T-shirts and assorted giveaways were less in evidence at InfoSec this year. However, several vendors offered open bars at the end of the first day (Tuesday) of the show, with a couple cracking open the cask as early at 3.30pm, two hours before the show floor closed. Plenty of attractive female models found work as booth babes at the show, another draw.

Bring Your Own Device was a key issue for many of the security pros attending the vent. Imation used the show to launch its StealthZONE PC-on-a-stick desktop environment to enterprise customers. The technology offers a secure, consistent work environment on any USB-capable end point, offering relief from BYOD headaches. Becrypt’s Trusted Client tackles much the same problem but unlike Imation’s technology it can also boot off a Mac.

Those looking for the latest security research at InfoSec would have been disappointed. A sizeable number of security researchers attended but they were there to catch up with contacts rather than to make presentations or outline new research.

InfoSec is primarily about technology marketing. It’s more about generating leads, or setting up channel partners, than clinching sales, which tends to happen for visiting vendors at either side of the show. The interactive workshops that used to be one of the main features of InfoSec were thin on the ground this year, from what we could see at least.

The biggest stands at the show continue to be dominated by by anti-virus vendors. Former show stalwart Microsoft hasn’t appeared for two or three years, but other IT players such as BT and Cisco were back.

BlackHat, RSA and their ilk are far better places to hear about the latest breaking research about information security. InfoSec’s education problems used to be a draw but this function has receded over recent years. Thankfully B-Sides has come along to pick up the slack on the educational front, as well as outlining new security research in areas such as Windows Mobile 7 and HTML 5.

B-Sides – featuring speakers such as @securityninja and @f1nux – offered a counter-program to that of InfoSec, akin to putting a screening of Withnail and I across the road from that of the latest Hollywood blockbuster. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/26/infosec_diary/

Customers logging into “secure and efficient payment service” Sage Pay this morning were served up an error message saying that the site could not be trusted, and didn’t have a valid security certificate.

Looks like someone forgot to renew the site’s SSL certificate – which expired at 12:59am this morning.

Customers complaining to Sage Pay’s Twitter account were initially told that the SSL certificate message was an error: “Hi, Its [sic] an error causing this page to appear. The certificate is still valid and we are working to resolve this,” Sage’s PR bod asserted. But that information was then corrected two hours later: “We’re working with the hosting company to replace the expired cert with our valid in-date one. Just an admin error.”

It comes less than 48 hours after Sage Pay suffered an intermittent day-long outage that prevented payments being processed on the network.

In a statement to The Register, Sage Pay said that the certificate snafu was down to someone outside the company and was purely an admin error:

Today, due to an administrative error with a third party, an expired SSL certificate was displayed on our site.

The spokesperson stressed that at no point was security breached in any way, adding:

It is minor issue, which has no impact on our customers.

We currently have a valid and in-date SSL certificate and are working with our hosting company to replace the expired certificate on our site.

®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/26/sagepay_ssl_certificate/