STE WILLIAMS

Popular web host Linode has been hacked by cyber-thieves who made off with a stash of bitcoins worth $71,000 (£44,736) in real money.

The crooks pulled off the heist after obtaining admin passwords for Linode’s network gear. Having infiltrated its systems, the thieves proceeded to target several Bitcoin-related servers, stealing $15k (£9.45k) from one merchant and more than 10,000 bitcoins ($56k, £35k) from Bitcoinica, a trading exchange for the digital currency. Bitcoinica has promised to reimburse customers for any losses. It said in a statement:

Many of you have heard that several bitcoin services were victims of a recent Linode security breach today. Unfortunately, Bitcoinica is also among the services affected.

On 2012-03-01 at 6:30 UTC, our “hot wallet” hosted at Linode and containing over 10,000 BTC was emptied. The unauthorized access is consistent with that experienced by other bitcoin services, described by Linode as unauthorized access from Linode’s “customer support interface”.

Punters should avoid using any bitcoin addresses previously used to fund their Bitcoinica accounts, Bitcoinica advises:

We must assume that the thief has retained private keys associated with old bitcoin deposit addresses. This would allow them to access any new bitcoins sent to old deposit addresses. As of now, our website will only display new deposit addresses which are not affected by this. However any old bitcoin addresses which you may have recorded for convenience should never be used ever again. This is the most important thing.

Linode admitted it had been compromised and issued a statement to say the digital safety deposit boxes of eight customers had been ransacked. It promised to review and improve its security procedures in the wake of the hack:

This morning, an intruder accessed a web-based Linode customer service portal. Suspicious events prompted an immediate investigation and the compromised credentials used by this intruder were then restricted. All activity via the web portal is logged, and an exhaustive audit has provided the following:

All activity by the intruder was limited to a total of eight customers, all of which had references to “bitcoin”. The intruder proceeded to compromise those Linode Manager accounts, with the apparent goal of finding and transferring any bitcoins. Those customers affected have been notified. If you have not received a notification then your account is unaffected. Again, only eight accounts were affected.

The portal does not have access to credit card information or Linode Manager user passwords. Only those eight accounts were viewed or manipulated – no other accounts were viewed or accessed.

Security is our number one priority and has been for over eight years. We depend on and value the trust our customers have placed in us. Now, more than ever, we remain committed to ensuring the safety and security of our customers’ accounts, and will be reviewing our policies and procedures to prevent this from ever recurring.

Bitcoins are a form of electronic currency that can be exchanged for real cash. The system relies on public-key cryptography and peer-to-peer networking to transfer the coins between users’ wallets. Isolated incidents of cyber-crooks using number-crunching botnets to generate bitcoins were detected last year.

Some miscreants appeared to have moved over to stealing bitcoins directly but it’s unclear whether the smash-and-grab raid against Linode is a one-off, or the start of a new tactic in cybercrime. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/02/linode_bitcoin_heist/

RSA 2012 Danish vulnerability specialist developer Secunia has released the latest beta of its Personal Software Inspector (PSI), and says it is betting on an open approach to security information to grow the company.

Founder Niels Henrik Rasmussen told The Register that his company will continue to work on open information sharing with the security industry, rather than trying to lock down data for its own advantage. The benefits were clear, he said: Secunia has grown 182 per cent in the last three years, at a time when less-open competition was performing less well.

“The security community provides us with a lot of intelligence, which we can assess and then give back, instead of ‘if you want my offering you have to pay for it’,” he said. “People like the fact that we provide open solutions, the fact that we push solutions to security community.”

So far, the strategy is working very well indeed, he said. The company now gets nearly a third of its revenue from US customers, despite only having opened US operations in 2009. If Secunia’s high-profile booth at the RSA expo is any indication, business is good – the first time this El Reg hack met Rasmussen, the company had a tiny booth at the back of the hall held together with duct tape.

During the show the company released the beta of PSI 3.0, which scans host computers for unpatched code, back-checks against Secunia’s list of released and stable patches, and then automatically updates the system.

The software is installed on over four million endpoints, Rasmussen says, and the final build of the code will be out in June. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/02/secunia_psi_open/

Identity assurance remains a hot topic at the Cabinet Office. And, despite a false start late last year, Whitehall is pushing ahead with its plans to offload ID-handling onto the private sector.

The department’s digital boss Mike Bracken confirmed yesterday that, as expected, the Department for Work and Pensions had been tasked with overseeing procurement of identity services across government.

It published a notice in the Official Journal of the European Union (Ojeu) that signalled the Cabinet Office’s intention to create a private sector market for the handling of taxpayers’ ID.

As The Register exclusively revealed last year, such a plan will almost certainly need primary legislation to make the scheme a reality in the UK.

Despite that, plenty of cash has already been plonked on the ID assurance pile, with the price tag standing at £30m, according to Bracken. In November, Francis Maude’s department had allocated £10m to the scheme.

While some would argue that it remains unclear why it is necessary to build an entirely new platform for transactions between benefit claimants and the DWP – given that a system for handling taxpayer’s identity credentials is already in place – the Cabinet Office is convinced that a market can be created wrapped around its digital agenda.

That digital agenda amounts to the development of a fancy-looking website – GOV.UK – that will replace New Labour’s Directgov, while the ID assurance scheme is expected to eventually kibosh the grandly named government gateway that was built by Microsoft back in 2001.

Maude has repeatedly insisted that the so-called “digital-by-default” agenda will save money in the public purse.

“Commercially, it means that the potential cost of procuring services for the cross-government Identity Assurance programme has been slashed from £240m to £30m,” explained Bracken in a blog post yesterday.

Whether the cost of ID assurance might balloon remains open to question, however. After all, the scheme remains at the development stage of what a Cabinet Office spokesman told us in November last year involved only the “initial instantiations of the model”. Beyond that, the offloading of identity-handling onto the private sector is expected to require legislation.

But hey, what’s £30m to the taxpayer, right?

As for the details laid out in the tender document to the Ojeu, ID assurance is expected to initially support Universal Credit and the Personal Independent Payment systems to be implemented by the DWP in 2013 for 21 million claimants in the UK.

Providers need to offer either online, telephone or face-to-face identity verification.

Some other tidbits include:

• Identity verification – Verification will be performed in an appropriate channel (web, telephone or face-to-face). The provider will verify that sufficient evidence exists to verify that a person presenting on a given channel is the owner of the claimed identity.
• Credential management – The provider will securely manage the credential lifecycle (eg, user name, password, hard or soft tokens, grids, voice samples, memorable information, one time passwords etc), from issue to decommission, including all aspects of management of the customer, which will include for example credential loss/recovery/ reissue.
• Identity correction services – For example, managing and resolving errors identified by the customer and / or DWP.
• Identity revocation services – Revocation of the identity (or use thereof for government authentication purposes) from the supplier.
• DWP is building interfaces to its systems for Identity Assurance that currently use standard SAML 2 profiles. The initial set of services for DWP will therefore need to be built so that they can interface with this, and support authentication requests and responses in the telephony channel. However this interface may not necessarily apply as the services roll out across HMG.

The tender document also points out that it’s difficult at this stage to work out the cost of the ID assurance scheme to government.

“In advance of market engagement it is difficult to quantify the expected length of contracts or cost of this service. However, this manner of ID assurance provision represents a brand new, cross-HMG approach that will be of significant value across HMG,” it said.

The dole office actually stuck its ID services tender in the EU journal in late December, only to almost immediately yank it because the DWP had failed to follow the necessary procedures required for the procurement process.

As an aside, Google is among the companies involved in the gov’s private sector identity marketplace. The Chocolate Factory changed its privacy policy this week to allow the search giant to more easily track its users across its online estate – with ID verification placed at the centre of its plans to earn even more ad bucks. And Europe isn’t happy about the potentially “unlawful” terms of service tweak. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/02/dwp_identity_assurance_tender/

Anonymous supporters queuing up to participate in denial-of-service attacks are being tricked into installing ZeuS botnet clients.

Hacktivists grabbed what they thought was the Slowloris tool, which is designed to flood websites with open connections and ultimately knock them offline. However, the download included a strain of ZeuS, which promptly installed itself on their Microsoft Windows machines.

The Trojan will carry out the distributed attacks, but that’s not all it does – it’ll also steal users’ online banking credentials, webmail logins, and cookies.

The deception began on 20 January, the same day as the FBI Megaupload raid, Symantec reports.

Malware pedlars swiped the template of an Anonymous guide to launching denial-of-service attacks from Pastebin, modified it to include a link to the nobbled build of Slowloris, and reposted the message on Pastebin to snare victims.

Anonymous is normally highly antagonistic to white-hat security firms, especially Symantec. This time however Twitter accounts maintained by the hacktivist collective were happy to endorse Symantec’s warning.

Twit AnonymousIRC wrote: “Anonymous supporters tricked into installing Zeus trojan. This MUSTN’T happen. Be careful what you post and click on!” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/02/trojan_attack_tool_targets_hacktivists/

Open … and Shut Privacy advocates endlessly worry that online advertising companies track your every move in order to serve you creepily well-targeted ads. They needn’t bother. After all, when was the last time this hyper-invasive tracking of your online behavior actually resulted in you getting a deal on something you really wanted?

And it is invasive. Just ask The Atlantic‘s Alexis Madrigal, who discovered that 105 advertising-related companies tracked his online behavior over a 36-hour period. In theory, such tracking is anonymous. In practice, this is not really the case.

While we may not mind a gaggle of marketers sniffing around our online behavior, we may be slightly more squeamish over a digital portfolio collected about us that can so easily be shared with others, including governments, crime syndicates, ex-boyfriends, you name it.

But perhaps that’s the price we pay for high-quality online content for free. We pay with our privacy.

Personally, I don’t mind this very much. I’m as boring online as I am offline. If someone wants to know just how many gallons of Jersey cow milk I drink a year, that’s their loss.

No, what grates on me is that for all the spying these companies do on my online behavior, they can’t seem to serve me an ad for something I’d actually want to buy. Worse, they’re terrible at delivering anything close to approximating a deal on the things I’d like to buy, even when I tell Google exactly what I want.

What gives?

For example, I ski a lot. And I spend a reasonable amount of time on Backcountry.com, Rossignol.com and other ski-related sites. Even the most rudimentary tracking technology should know that I’m interested in Rossignol skis (perhaps it would even know I bought two pairs of Rossignol skis this past year), yet when I type in “skis” into Google or even “Rossignol” into Google, the ads served up are for … something completely different. Even the store that sold me my last pair of Rossignol skis – EVO – keeps trying to show me every kind of ski except Rossignol skis.

And Backcountry.com, which is one of the most aggressive technology adopters among online retailers, serves up a display ad that suggests: “Dynafit, K2, Armada, Salomon more Free Shipping on Orders Over $50.”

Come on, people: if you’re going to track my online behavior, at least use it to get me to buy something I want!

It’s possible that this mismatch between online behavior and online ads is intentional. Studies have shown that ads that are too finely targeted tend to be less effective, because people get “creeped out” by them.

Still, I’m happy for “creepy” ads to be served to me, if only it resulted in getting a deal. But the most targeted ads tend to be served up on behalf of the big retailers who are least likely to give me a deal worth buying. Instead of matching my interest in Rossignol Super 7s with a real deal on Teton Gravity’s gear swap or a Craigslist ad, I’m shown full retail pricing on Backcountry.com, REI, EVO, and even eBay.

I understand that the advertisers willing to pay to track me and show me ads are different from the individuals or companies willing to sell gear for peanuts on these classified ad services. I get that. But as a consumer I’m being asked to give up my privacy for a mess of full-retail priced pottage.

It’s not worth it.

There is a disconnect in the online advertising world. Despite widespread adoption of invasive user-tracking tools, consumers are neither getting well-targeted ads, nor deals that would justify that we click on the ads. We’re being asked to give up much for very little. This is a raw deal, and perhaps explains why an increasing number of people are worried about online privacy. It’s not what we’re giving up but what we’re getting in return that nettles us. ®

Matt Asay is senior vice president of business development at Nodeable, offering systems management for managing and analysing cloud-based data. He was formerly SVP of biz dev at HTML5 start-up Strobe and chief operating officer of Ubuntu commercial operation Canonical. With more than a decade spent in open source, Asay served as Alfresco’s general manager for the Americas and vice president of business development, and he helped put Novell on its open source track. Asay is an emeritus board member of the Open Source Initiative (OSI). His column, Open…and Shut, appears three times a week on The Register.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/02/online_advertising_and_privacy/

A clampdown on text spam has led to a police raid on offices in Urmston, Manchester, and the seizure of equipment by the Information Commissioner’s Office.

The UK data privacy watchdog was given enhanced powers last year to tackle the growing problem of junk SMS messages, including the authority to ask mobile operators for information and numbers. The ICO was also allowed to obtain warrants to search premises.

The latest use of these powers targeted an unnamed firm touting an ambulance-chasing injury claims service. The watchdog, which is poring over evidence collected from the raided biz, said in a statement:

As part of the ICO’s ongoing investigations aimed at tackling the scourge of unwanted spam texts linked to the Claims Management Industry and the companies profiting from this unlawful activity, the ICO executed a search warrant on a premises situated in the Urmston area of Manchester on Tuesday 28 February.

The property was believed to be connected to individuals associated with a company that is suspected of sending out thousands of unsolicited electronic marketing messages.

We will take action where it is clear that individuals or companies are profiteering from unlawful activity. This includes issuing a monetary penalty of up to £500,000 to the worst offenders.

David Clancy, an investigation’s manager at the ICO, explained the business model behind the mobile phone spam texts to the BBC.

“Once they [spammers] have trapped your number they will then sell it into the [claims] industry,” he said. “First users will pay £1, £1.50 for that phone number. A month later it will be distributed to lots of organisations for 50p, 20p, 10p a time.”

A previous raid last December led to the deactivation of 20,000 SIM cards. An ICO spokeswoman said the cards “had been used to send spam text messages”.

Spam texts are usually sent using unregistered pay-as-you-go SIM cards. Under regulations introduced last year mobile operators are obliged to assist the ICO in pinpointing the locations from which clusters of junk messages have been sent. This cleared the way for the ICO to obtain a search warrant, authorising a raid by ICO investigators and local police.

The ICO advises punters to avoid responding to spam text messages. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/02/text_spam_clampdown/

A full disk encryption product has become the first bit of kit to be certified by Brit spooks in their new Commercial Product Assurance scheme.

Covent Garden-based Becrypt’s DISK Protect demonstrated good commercial security practice, earning it the official stamp of approval to be used by the UK government and public sector bodies in lower threat environments. The foundation-grade certification earned by Becrypt means the DISK Protect is trusted to safeguard data sensitive enough to earn the classification of “restricted”. The technology is not approved for guarding more sensitive “confidential” or “secret” material. Nonetheless the seal of approval will make it easier for Becrypt to sell full disk encryption to public sector organisations.

The certificate was handed out by CESG (Communications-Electronics Security Group), which is part of the UK’s snooping centre GCHQ. CESG has evaluated and certified security products for years prior to the introduction of the CPA scheme in April 2011. Under the new regime, CESG and independent test labs evaluate commercial security products against published security standards. Products that meet the foundation or tougher augmented grade get the seal of approval for public sector use. Even augmented-grade certification is only good enough for the protection of “restricted and some confidential data”, CESG explains.

The CPA scheme is not just for cryptographic products but also covers any security-enforcing gear – such as firewalls and virtualisation technology. The certification scheme does not cover services, which are likely to fall under a separate assurance scheme, currently under development.

A spokesman for CESG said: “We are grateful to Becrypt and our first test labs – Enex and Siventure – for the interest and support they have given us during the pilot phase of CPA.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/02/cesg_becrypt_certification/

RSA 2012 Security experts have warned that electronic voting systems are decades away from being secure, and to prove it a team from the University of Michigan successfully got the foul-mouthed, drunken Futurama robot Bender elected to head of a school board.

In 2010 the Washington DC election board announced it had set up an e-voting system for absentee ballots and was planning to use it in an election. However, to test the system, it invited the security community and members of the public to try and hack it three weeks before the election.

“It was too good an opportunity to pass up,” explained Professor Alex Halderman from the University of Michigan. “How often do you get the chance to hack a government network without the possibility of going to jail?”

With the help of two graduate students, Halderman started to examine the software. Despite it being a relatively clean Ruby on Rails build, they spotted a shell injection vulnerability within a few hours. They figured out a way of writing output to the images directory on the compromised server, and of encrypting traffic so that the front-end intrusion detection system couldn’t spot them. The team also managed to guess the login details for the terminal server used by the voting system. This wasn’t exactly difficult, since the user name and password were both “admin”.

Once in, the team searched the government servers for additional vulnerabilities and system options. They found that the cameras installed to watch the voting systems weren’t protected, and used them to work out when staff left for the day and so wouldn’t spot server activity. More worrying, they also found a PDF file containing the authentication codes for every Washington DC voter in the forthcoming election.

The team altered all the ballots on the system to vote for none of the nominated candidates. They then wrote in names of fictional IT systems as candidates, including Skynet and (Halderman’s personal favorite) Bender for head of the DC school board. They also set up systems so that any further ballots would come under their control.

According to the log files the team found, plenty of people were also busy trying to get into the system. They spotted attempts to get in from the Persian University, as well as India and China. Using their inside access, they blocked these attacks. Finally, they inserted the word “owned” onto the final signoff screen of the voting page, and set up the University of Michigan football fight song to play after 15 seconds.

It took two days before the authorities discovered they’d been pwned, and they were only alerted to that fact when another tester told them the system was secure, but that they should lose the music on the sign-off screen, as it was rather annoying. Halderman has now published a full account of the attack.

The attack demonstrates several of the flaws in electronic voting systems, and at numerous sessions at the RSA 2012 conference in San Francisco, experts have consistently warned against the dangers of this technology. In the US, there are 33 states that have introduced some kind of electronic voting systems – and none of them are secure enough to resist a determined attacker said Dr. David Jefferson from Lawrence Livermore National Labs.

“The states are in the habit of certifying voting systems, typically without testing them or seeing the source code,” he said. “In many cases the voting system uses proprietary code that government can’t legally check, and the running of the systems is outsourced to the vendors. This situation is getting worse.”

E-voting was a national security issue, he said. Financial attacks by hackers are relatively easy to detect – because at some point money has to leave the system. But if an election is hacked then we may never know, because it’s a one-time action that typically isn’t checked after the results have been announced and officials elected.

It will be decades before we have the technology to vote securely, Jefferson said, if indeed it is even possible. At stake is democracy itself, but politicians don’t seem to understand the problems of electronic voting, and both Jefferson and Halderman expressed fears for the future if current systems become more popular. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/01/electronic_voting_hacked_bender/

RSA 2012 The head of the FBI warns that the threat to the US from online attacks will shortly become greater than that posed by terrorists.

“In the not too distant future we anticipate that the cyber threat will pose the number one threat to our country,” the FBI’s director Robert Mueller told delegates at the RSA 2012 conference in San Francisco. “We need to take lessons learned from terrorism and apply them to cybercrime.”

He quoted the Roman Stoic philosopher Seneca the Younger, who said that the more connected a society becomes – in Seneca’s day it was the spread of roads – then the more likely it is that an individual would become a slave to that connectivity.

The same is true of modern society, Mueller said. If the electronic systems on which society relies are removed, the result would be chaos and anarchy, he suggested. Interestingly, this goes against the advice of security guru Bruce Schneier, who pointed out that the purpose of terrorism is to terrorize, and if his phone doesn’t work he’d be annoyed, but hardly terrified.

As a society we can’t turn back the clock, Mueller said, nor should we try to. Instead, we need to share information and tactics to beat any enemies in the future. To that end, the FBI will make changes to its own force, and push for more changes to business practices from government.

All FBI special agents are now being trained in electronic methods, he said, and those who specialize in the area will get the best possible training. The agency is setting up virtual meeting rooms in which investigators can compare notes and follow up on cases.

In addition, Mueller wants a national breach law, so that when a serious hack takes place, the company hit has a responsibility to let law enforcement know. Currently, 47 states have breach laws of some sort, but the FBI wants this to be standardized across the country. Companies need to share their data on attacks and devise strategy together with law enforcement. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/02/fbi_cyber_terrorism_warning_rsa/

Updated India’s clampdown on its netizens is set to continue after its government revealed it is setting up a National Cyber Co-ordination Centre to monitor all web traffic flowing through the country – in the name of national security.

The Times of India had access to the minutes of a National Security Council Secretariat meeting held earlier this month, which claimed the new £100m centre would monitor all tweets, emails, email drafts, status updates and other messages.

The agency will be tasked with scanning “cyber traffic flowing at the point of entry and exit at India’s international internet gateways” in order to provide “actionable alerts” to relevant government departments in the event of a perceived security threat.

If a particular online message is flagged, the centre will have the right to open it up and see if it has actually unearthed a terror plot or merely snooped on an innocent chat – so obviously no privacy issues there, then.

“The coordination centre will be the first layer of threat monitoring in the country,” deputy national security advisor Vijay Latha Reddy said during the meeting, according to the leaked paperwork. “It would always be in virtual contact with the control room of the internet service providers.”

The Indian government is now said to be working out how many people it needs to staff the new centre as well as liaison roles within each government department.

The news comes as India’s much-publicised dispute with Research In Motion took another turn last week: the BlackBerry maker agreed to set up a BBM server in the country to enable the authorities to monitor traffic running on the service more easily.

Nokia’s Push Mail service is said to be next in line, while Yahoo, Google, Skype and others are thought to be in dialogue with the government about routing their services through servers in the country to ensure all comms channels can be monitored. ®

Update

This story has been updated to correct the amount being spent on the Centre.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/29/india_censorship_web/