STE WILLIAMS

Mozilla coders are arguing among themselves about the open-source outfit’s Metrics Data Ping project, which was designed to monitor Firefox usage metrics. Several coders in the Mozilla camp have expressed concern about how some developers are proposing the project should collect data from users of the browser.

“It seems as if we are saying that since we already collect most of this data via various product features, that makes it ok to also collect this data in a central place and attach an ID to it,” wrote the org’s engineering manager Benjamin Smedberg in a mailing list email entitled ‘Anonymous metrics collection from Firefox’.

He added: “Or, that because we *need* this data in order to make the product better, it’s ok to collect it. This makes me intensely uncomfortable. At this point I think we’d be better off either collecting only the data which cannot be used to track individual installs, or not implementing this feature at all.”

The Telemetry project, which measures browser performance, has already been slotted into Mozilla’s browser, in September when Firefox 7 debuted. As the lead dev on the project, Taras Glek, noted at the time, Telemetry “will prompt users to opt in to reporting performance data to Mozilla”.

He added that the data is transmitted via encryption protocol SSL and said that the “Mozilla privacy team worked tirelessly to ensure that no personally-identifiable information is sent via Telemetry”.

Glek added: “Whereas many other software projects stamp this kind of data with a unique per-user ID, we opted for a per-session ID which is reset every time the browser restarts. Telemetry is also disabled while in private-browsing mode.”

However, unlike the Telemetry Project, the proposed MetricsDataPing project will be opt out…

“Now, I know your job is data collection and you want as much data as possible, but the users have a law+given *right* to their privacy, and we have to find a middle ground. I don’t think your proposal of specifically tracking individual users over time represents such a middle ground,” said Mozilla’s Ben Bucksch to the outfit’s metrics engineering manager Daniel Einspanjer.

To UUID, or not to UUID

Bucksch is concerned because a proposal has been put forward for Telemetry to include a universally unique identifier (UUID) for longitudinal analysis.

He claimed that the presence of that UUID would mean that personally identifiable information was being collected and added that it must not happen, not only because of the privacy implications but also due to the potential damage to Mozilla’s reputation.

Several other devs batted away his concerns and asked Bucksch to show evidence of how his claims proved that the proposed feature for Telemetry was “illegal” according to data protection officers in Germany and Brussels.

Einspanjer offered up this defence of the project:

I stated there that I believe there must be a level of trust and expectation that we will do what we say we will do with the data, and not attempt to deceive the user and attempt to store IP address or personal information.

Looking at the proposed data set with a document ID, if Mozilla or even a party with the ability to request or steal a snapshot of that data were to examine it with the most dubious of intent, what would they possibly be able to extract?

If there are specific concerns there, then it would be well worth our time to look at either mitigating those concerns or deciding if we needed to give up those specific data points.

Bucksch likened the use of a UUID in MetricsDataPing to privacy blunders from Google and Facebook.

The debate within Mozilla Towers continues.

Meanwhile, Henri Sivonen – a freelance consultant to the Firefox-maker – urged caution: “Even if sending a UUID had no real privacy impact, sending a UUID would be bad publicity in Europe. The usage share of Firefox is in the decline. Europe in general and Germany in particular is a place where the usage share of Firefox is high. It seems like a bad idea to hurt that market share in order to study metrics related to it.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/07/mozilla_telemetry_controversy/

TRENDnet has acknowledged a flaw that meant that live feeds from its home security cameras were accessible online without needing a password.

The US-based manufacturer admitted the problem – which affects its SecurView Cameras bought after April 2010 – and began releasing firmware updates designed to plug the hole on Monday. It apologised to its customers for the snafu in a security bulletin (extract below) that provides links to the relevant security upgrades.

TRENDnet has recently gained awareness of an IP camera vulnerability common to many TRENDnet SecurView cameras. It is TRENDnet’s understanding that video from select TRENDnet IP cameras may be accessed online in real time. Upon awareness of the issue, TRENDnet initiated immediate actions to correct and publish updated firmware which resolves the vulnerability.

The problem came to light after a montage of feeds from insecure Trendnet cameras was posted on an online forum in the early part of last month. IP addresses linked to video streams were also posted on various messageboard sites at around the same time, the BBC reports.

The accessibility of live feeds to anyone on the net who sought to look is particularly worrisome as TRENDnet’s home security cameras are often placed by parents in children’s bedrooms and other sensitive locations. Prospective voyeurs only needed to know a user’s IP address, as well as the identical sequence of 15 characters used by affected TRENDnet cameras, to gain access to a live video feed.

Online search engines might easily be used to automate the process of finding vulnerable camera feeds.

TRENDnet told the BBC that it became aware of the problem on 12 January, and since then has been developing and testing firmware fixes to resolve the coding error, which apparently was introduced two years ago. Registered users have been informed by email of the snafu already but the firm only published an advisory on Monday – after news of the problem broke. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/07/home_video_camera_security_snafu/

Android App of the Week The security or lack thereof of the Android platform – real or imagined – is a common topic of conversation at the moment so it seems like a good time to take a look for a comprehensive security app. My preferred choice is Avast!.

Avast! for Android is free and carries no advertising, making it perfect for anyone who is just a little worried about mobile security but thinks that it could be a case of a lot of smoke but very little fire.

 

Avast! comprises many components (left), including a virus scanner (right)

The app consists of six distinct parts and a seventh, optional one. The six are a virus scanner; a privacy advisor which tells you which apps have access to what systems; a basic application manager; something called Web Shield, which warns you about dodgy websites; a text and call filter; and a firewall.

It’s worth mentioning that the latter only works with rooted handsets. Web Shield only does it’s stuff with the stock Android browser, so if you are using Dolphin like me it’s not a feature you need dwell on.

 

The firewall (left) only works if your phone is rooted; the Web Shield (right) only works with the stock browser

I suspect the average user will get most mileage from the virus scanner, which will give them some peace of mind that no nefarious code is lurking on their system or SD storage like a mugger outside a coach station.

The optional component is a comprehensive anti-theft system. This part of the app standalone so you have to download it separately and, usefully, you can rename it so it appears in your app drawer as something other than the rather obvious Avast! Anti-Theft.

 

Anti-Theft (left) is an optional extra that can disguise itself (right)

A range of protection functions can be triggered when the phone’s Sim card is changed to one not pre-approved or when the device is marked as lost by sending a text message.

These include some standard features like a lock and a siren, but also some less common ones like the ability to deny access to USB debugging, or the handset’s program manager and phone settings. Again, if your handset is rooted you will get more out of this feature.

 

Protect your data if your phone is lost (left) and see what your running apps are up to (right)

To cap it all, the interface is a very well designed, with clearly written guidance about what each feature does and how to use it. With no cost implication there’s nothing to lose by installing it on the always-carry-a-condom principle: better to have it and not need it than the other way around. ®

Size 3.7MB

Apps2SD No

We make our choice of the best Android smartphone and tablet downloads every Tuesday. If you think there’s an app we should be considering, please let us know.

More Android App of the Week Winners

AirDroid

FilmOn

WikiHow

Go Contacts EX

Cocktail Flow

Article source: http://go.theregister.com/feed/www.reghardware.com/2012/02/07/app_of_the_week_android_avast/

Adobe has released beta code for sandboxing its heavily hacked Flash code within Firefox, in a similar fashion to the Chrome security protections added to its Reader software and Google’s Chrome browser.

“Sandboxing technology has proven very effective in protecting users by increasing the cost and complexity of authoring effective exploits,” said Peleus Uhley, senior security researcher for Adobe in a blog post.

“For example, since its launch in November 2010, we have not seen a single successful exploit in the wild against Adobe Reader X. We hope to see similar results with the Flash Player sandbox for Firefox once the final version is released later this year.”

Adobe used elements of the sandboxing technology Google had built into Chrome for its Reader code, after a string of attacks against the popular Flash platform. The technology was released on November 2010 – and promptly broken less than two months later by a Google engineer, although Adobe said this didn’t count as it couldn’t be done remotely. The code has also been added to Chrome, and Adobe promised other browsers would get similar protections.

The code will work with Firefox 4.0 or later versions running on Windows 7 or Vista. More details will be given in Uhley’s talk at the CanSecWest security conference in Vancouver, British Columbia, early next month. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/07/adobe_sandbox_firefox/

Anonymous has leaked a trove of emails relating to the deaths of 24 Iraqi civilians at Haditha after hacking into a law firm’s systems.

The hacktivists claim to have made off with a 2.6GB email spool after breaking into the systems of Puckett Faraj, the law firm that represents Frank Wuterich, 31, the Marine staff sergeant at one point accused of manslaughter over events in Haditha, Iraq.

A total of 24 Iraqi non-combatants, including women and children, were killed in Haditha in November 2005. The event started out as an anti-insurgency operation following a roadside bombing.

The emails, released as a torrent and with extracts published on Pastebin, include transcripts of testimony, evidence from the trial and defence donation records.

The website of Puckett Faraj remains unavailable at Monday lunchtime and the firm itself has neither confirmed nor denied the alleged security breach. AFP reports that the website of the firm was defaced on Friday at the same time as as the alleged email hack, with a note from Anonymous saying the group wanted to expose the “brutality of US imperialism”.

Eight soldiers were charged over the incident in Haditha, but by the end of 2008, the cases against six were dropped, while a seventh was found not guilty.

Manslaughter charges against Wuterich were also dropped, but he was convicted of negligent dereliction of duty over the incident in 24 January, receiving a demotion and pay cut but avoiding a custodial sentence as part of a plea bargaining deal. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/06/anon_haditha_email_leak/

Update Internet service providers must do better at removing violent material from websites, a group of MPs thundered today.

The Home Affairs select committee published a report this morning that highlighted how extremist groups and individuals use the internet “to promote violent radicalism”.

MPs were told by a series of witnesses that the internet was the main forum for radicalisation, and added that concerns have been expressed about there being so many “unregulated spaces” online.

“The committee concludes that the internet is one of the most significant vehicles for promoting violent radicalism – more so than prisons, universities or places of worship, although direct, personal contact with radicals is in many cases also a significant factor,” it said.

“Although there are statutory powers under the Terrorism Act 2006 for law enforcement agencies to order unlawful material to be removed from the internet, the committee recommends that internet service providers themselves should be more active in monitoring the material they host, with appropriate guidance, advice and support from the government.”

The politicos called on the Coalition to cobble together a code of practice to get telcos to voluntarily participate in removing violent extremist material from the internet.

In evidence submitted to the home affairs committee, the Internet Service Providers Association (ISPA) noted that: “As in other areas, ISPs are not best placed to determine what constitutes violent extremism and where the line should be drawn. This is particularly true of a sensitive area like radicalisation, with differing views on what may constitute violent extremist.”

The ISPA argued that if the police do not intervene using their statutory powers under the Terrorism Act, it would be much more difficult for a telco to make an appropriate judgment about the content being hosted online. Moreover, many of the websites that carry extremist material are hosted abroad.

The committee of MPs who scrutinised the government’s so-called ‘Prevent’ strategy concluded that it was impossible to cleanse the internet of such content.

The whole area of communications technology and social networking is complex and extremely fast-moving. A form of interaction that is commonly used by thousands or even millions of people at one point in time may only have been developed a matter of months or even weeks earlier.

It follows that legislation and regulation struggle to keep up and can provide a blunt instrument at best. Leaders in fields such as education, the law and Parliament also need to be involved.

Evidence taken by this committee in regard to the riots in London last August showed that some police forces have identified social networks as providing both challenges and opportunities, with the message from one chief constable that the police recognised that ‘we need to be engaged’.

In respect of terrorism, as in respect of organised crime, the government should seek to build on the partnership approach to prevention that has proved successful in the field of child abuse and child protection.

The Register asked the UK’s four major ISPs – BT, Virgin Media, BSkyB and TalkTalk – to comment on the home affairs’ committee report.

BT told us:

BT complies with all legislation applying to its activities and co-operates fully with law enforcement agencies as appropriate in relation relevant legislation.

The 2006 Terrorism Act created several new offences of relevance to online content, under which we operate a takedown policy for websites when required to do so. The law enforcement agencies determine what content falls within the Act and notify us through the appropriate single point of contact arrangements with them.

ISPs are not in a position to make legal judgements on what constitutes terrorism, extremism or radicalisation.

It is not for ISPs to proactively monitor material available on line. There are privacy and freedom of expression implications as well as the more practical consideration of the sheer volume of content online.The current approach of notice and takedown, which takes place within the legislative framework (with auditing and oversight), is the most effective and practical solution.

Virgin Media said it was “preparing a statement”.

Meanwhile, MP Keith Vaz, who is chairman of the committee, said: “The conviction last week of four men from London and Cardiff radicalised over the internet, for a plot to bomb the London Stock Exchange and launch a Mumbai-style atrocity on the streets of London, shows that we cannot let our vigilance slip.

“More resources need to be directed to these threats and to preventing radicalisation through the internet and in private spaces. These are the fertile breeding grounds for terrorism.”

The MPs also recommended that the government rename its ‘Prevent’ strategy as something a good deal fluffier “to reflect a positive approach to collaboration with the Muslim communities of the UK”. The moniker ‘Engage’ was recommended. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/06/home_affairs_internet_radicalism/

Popular torrent search engine BTJunkie – nothing to do with BT – is voluntarily closing, according to a notice posted on the site, without offering a reason. The site has indexed other torrent trackers since 2005, and was the fifth most popular Torrent site.

“It’s the end of an era”, reckons one piracy fansite. BTJunkie users took to Twitter to express their disappointment:

The site has not been on the receiving end of litigation from copyright-holders, and it’s hard to see what recent legislative changes might have caused the operators to reconsider. ACTA has been watered down, leaving copyright-holders with nothing new, while SOPA has been shelved. And the recent high-profile bust of MegaUpload and its bosses took years of electronic monitoring and co-ordination between various agencies on a huge scale.

Perhaps the perception of increased risk did the trick. Or maybe they just got bored, and wanted to go out with a bang. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/06/btjunkie_bye/

A job-seeking Hungarian hacker who tried to land work with Marriott by hacking into the hotel chain’s network before “offering” to sort out the resulting mess has been found guilty of hacking and attempted extortion and jailed for 30 months.

Attila Nemeth, 26, admits sending Trojan-infected emails to workers at the hotel late in 2010, allowing him to access back end servers from PCs he managed to infect. Nemeth extracted sensitive information which he threatened to reveal unless the hotel chain offered him a job maintaining Marriott’s systems.

Marriott responded to this by reporting Nemeth to the US Secret Service, which ran a sting operation. Nemeth entered into an email and phone conversion with a fed posing as a hotel manager before he was persuaded to travel to the US, ostensibly to attend an all-expenses-paid job interview.

Under the guise of an interview, Nemeth was coaxed into explaining how he hacked into Marriott’s systems. He was subsequently arrested and charged with computer crime and extortion.

The hacker pleaded guilty to both offences last November prior to a sentencing hearing last week, where he was sentenced to 30 months behind bars, the Wall Street journal reports.

Marriott estimates Nemeth’s hack resulted in expenses of between $400,000 and $1m in consultant expenses and other costs associated with figuring out how much damage the hacker might have caused. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/06/marriott_hacker_jailed/

Freebie anti-virus scanner Avast falsely identified an executable associated with the popular Steam gaming platform as a Trojan on Sunday.

The snafu, which persisted for around 90 minutes, meant that SteamService.exe was wrongly identified as a Trojan (specifically Trojan-gen) and sent to quarantine. Judging by posts on Steam forums, many tech-savvy gamers hit by the problem correctly deduced that a false positive was to blame for the problem, rather than a genuine malware infection.

A spokesperson for the Czech Republic-based firm confirmed this on Monday afternoon, stating “There was a very brief false positive issue which was corrected in 1.5 hours.”

The misfiring virus definition file that caused the problem has been withdrawn.

Gamers hit by the problem will have to recover files from quarantine. In some cases this may involve re-installing Steam, if past experience of similar problems is anything to go by.

False positives are a perennial problem in anti-virus scanners which hits all vendors from time to time. Even though testing procedures have been improved, mistakes still occur.

Anti-virus false alarms cause the most inconvenience where systems files are falsely flagged as malicious, thus consigning important files to quarantine and leaving users with unstable PCs that might even fail to boot properly. That’s not the case with the Steam false alarm, which is best characterised as an annoying inconvenience rather than anything more severe. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/06/avast_steam_false_positive/

Hackers may already able to use malware to outwit the latest generation of online banking security devices, security watchers warn.

An investigation by BBC Click underlines possible shortcomings in the extra security provided by banking authentication devices such as PINSentry from Barclays and SecureKey from HSBC. Using such two-factor authentication devices means that even if hackers trick consumers into handing over their bank login passwords they still won’t be able to raid online banking accounts.

But although basic phishing attacks will fail, it might still be possible to hackers to monitor and alter a user’s communication with a banking site using malware. Hackers could set up a fake banking website and prompt users attempting to log into their account for both their online login credential and, for example, a PINSentry code, a pseudo-random number that changes every every minute or so. This information would allow cybercrooks to log onto the genuine banking website, posing as a customer, before authorising fraudulent transfers or other payments.

This variant of a classic man-in-the-middle-attack is know in security circles as a man-in-the-browser attack. Isolated incidents of this type of fraud have cropped up over recent years, so the attack isn’t new.

Phishers have been having a pop at two-factor authentication devices since at least 2006, if not earlier. Targets over the years have included customers at Citibank and some Nordic banks, among others.

While the tactic is understood in security circles, it is doubtful that many consumers are aware of it, so the BBC Click investigation is welcome in helping to publicise the issue.

The investigation – which does not highlight new instances of fraud or include quotes from victims – makes it clear that the threat is not tied to the technology supplied by any particular bank.

A spokeswoman for Financial Fraud Action told El Reg that the attack scenario illustrated the importance of keeping computer security up to date, as well as taking advantage of any additional security measures their bank might provide.

“Consumers ought to keep using the banking authentication devices,” she said, adding that “even if consumers are unlucky enough to become victims of fraud they ought to be able to get reimbursed because the onus is on the bank to prove negligence.”

This seems fair enough but it’s worth noting that disputes over phantom withdrawals from ATMs are far from unknown. Consumers will probably get reimbursed for fraudulent transfers authorised using two-factor authentication devices but they’re likely to have a tougher job in persuading banks that they didn’t have anything to do with a transaction than might otherwise be the case.

Wolfgang Kandek, CTO of Qualys, said even though using banking authentication devices wasn’t a foolproof way to stay safe while banking online, they are still worth using.

“Banks that offer two-factor authentication devices raise the bar for online security by a large margin. Common malware often found on PCs is not equipped to deal with the additional authentication steps required when using these devices.

“Nevertheless, no protection is complete. Advanced attackers have found ways to circumvent the additional security measures by infecting the user’s browser and monitoring and altering the user’s communication with the banking site. However, the malware needs to work much harder, because the user needs to be tricked into disclosing additional token codes, and the malware needs to act quickly, before they expire, typically after 60 seconds.

“Keeping your browser up to date will repel these infections at the onset, as attackers typically use well known browser vulnerabilities as their entry method to your PC,” he added.

Banks deploying two-factor authentication have reportedly benefited from a substantial drop in fraud levels, we’re told, although hard figures on this are hard to come by. Trust in authentication devices shouldn’t be undermined by what boils down to a malware attack targeted at an end user’s computer.

Hugh Callaghan, a security expert at management consultancy Ernst Young, said that banks needs to rely on multiple security measures to reduce the possibility of fraud.

“There is no single, easy, solution for the banks to ensure the security of their online banking systems,” he said. “A combination of techniques, working to complement each other, is required rather than relying solely on two-factor authentication regardless of how sophisticated this technique seems. Any approach to combating attacks against online banking must include updating and implementing rigorous anti-fraud control design processes, monitoring for any out of the ordinary customer transactions and tracking browsing patterns all of which could indicate an attack.”

“We are also witnessing the emergence of newer techniques which require further development to be effective. For example, the use of full transaction data signing that requires users to input data to the token that they know is directly linked to the payment; this is usually a beneficiary account number. Unfortunately this can also be attacked, for example it can be dressed up as a ‘security test’ by misleading pop-ups in the browser,” Callaghan added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/06/online_banking_security/