STE WILLIAMS

Symantec is urging users to patch pcAnywhere, its remote control application, following the discovery of a brace of serious security flaws.

The most severe of the two holes allows hackers to remotely inject code into vulnerable systems – made possible because a service on TCP port 5631 permits a fixed-length buffer overflow during the authentication process. This line of attack ought to be blocked by a properly configured firewall, but it’d be stupid to rely on that without patching vulnerable systems.

The other flaw relies on overwriting files installed by pcAnywhere in order to escalate a user’s privileges, although miscreants will already need access to vulnerable system to leverage this.

Neither flaw has been weaponised into exploits by hackers, reckons Symantec. The security firm credits Edward Torkington (of NGS Secure) and independent security researcher Tad Seltzer with discovering the flaws.

pcAnywhere 12.5.x as well as versions 7.0 and 7.1 of Symantec’s IT Management Suite Solution are vulnerable.

The discovery doesn’t appear to be related to the recent much-publicised leak of the source code for an older version of pcAnywhere. Bugs discovered by that route would likely result in the immediate exploitation of unpatched flaws rather than responsible disclosure that takes weeks to coordinate, as is the case here.

Symantec published the patches on Tuesday, and they can be applied either manually or automatically using Symantec’s LiveUpdate system. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/25/pcanywhere_patch/

O2 has been sharing customers’ phone numbers with every website they visited, but O2 isn’t the only offender – it’s just the one that slipped up and got caught.

The Information Commissioner will investigate, and O2 will be told it should be more careful in future. Punters will be outraged but actually suffer very little as few websites collect unknown HTTP headers like the one in which mobile numbers were embedded. O2 has provided a simplified FAQ, which explains almost nothing – specifically what the operator might do to prevent such a thing happening again.

To understand how, and why, O2 started leaking customer data one has to realise that mobile networks are very unlike their fixed contemporaries, that they routinely interfere with the web pages sent and received over data connections, and that if they didn’t the UK government would step in and force them to do so.

Delivering customer phone numbers to every website, in the HTTP headers, wasn’t a deliberate policy nor some form of conspiracy, just a badly configured proxy that should have removed the data before it left the company’s network. Adding the information wasn’t the mistake, failing to take it away is what caused the problem.

How it happened

Mobile web browsing is different from fixed browsing for one important reason – the network can absolutely, and securely, identify the customer from the SIM card, which opens up lots of opportunities unavailable to fixed ISPs. Once the customer has been identified then services can be automatically billed to that user, allowing seamless payments, and privileged information (such as billing or customer care) can be displayed without needing passwords or user names, most of which is genuinely very useful.

A mobile phone can’t append its number to web requests: most mobile phones don’t know their own number, and even if they did they couldn’t be trusted, so the network identifies the user in communication with the SIM, then appends that information to the HTTP headers for use by other servers within the operator’s network.

There’s no standard way of doing that. Back in 2010 researchers in Germany found the same information in about 20 different HTTP headers [PDF], sometimes replicated by different systems within one operator’s network (two different routers adding the same information, under a different name, entirely unaware of each others’ existence).

If the user is connecting to the billing system, or the operator’s music shop, then that header is used to bill the services to the right account. The header might also be passed to partners such as those handling PayForIt transactions or selling services by agreement with the network operator – a good example being a Java application store selling games on behalf of the network operator.

But if the HTTP page request is routed out of the operator’s network, and not to a contracted partner, then there’s some router that is supposed to remove such data.

That’s the gear which was wrongly configured at O2, and let the headers through.

What happens on other networks

O2’s intended handling of HTTP requests is nothing compared to Vodafone, which routinely strips all the headers from those using featurephones making it impossible for sites to optimise content for such handsets. Vodafone even appends its own HTML to pages, adding a navigation bar highlighting their premium services.

Few operators are so brazen, but most will strip out comments and redundant code, and almost all of them compress images and videos for mobile consumption. Few users ever notice that, and in general it makes for a faster browsing experience.

Mobile operators in the UK have also taken it upon themselves to filter out pornography (under threat of legislation if they don’t) until customers have proved their age (generally with a credit card authorisation, but dropping into a shop and looking old works too). They also, like the majority of fixed ISPs, use the Internet Watch Foundation’s list to block access to the worst of the worst.

So when a website pops up on a mobile screen it has already been analysed, compressed, manipulated and mangled, headers have been appended and stripped – and that’s assuming your operator thinks you’re old enough to see the content anyway.

But what’s really weird is that if you’re on O2’s 3G network then it will be busy blocking and managing the content you access, but switch to O2’s Wi-Fi network – a mere 300MHz up the dial – and it’s porno city and they wouldn’t dare touch one’s HTTP headers any more than they’d trust you are who you say you are.

So here we have two philosophies of internet access, separated by a few hundred megacycles. It will likely be the mobile model that ultimately prevails as everyone offering internet access sees the advantage in compressing and mutating content to suit their customers, which means more operators looking at ways to identify their users, and probably more leaks just like this one. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/25/o2_number_sharing/

EU Justice Commissioner Viviane Reding will imminently table a draft bill that will – if passed in Parliament – require internet firms to be upfront about the user data they hold.

The proposal has already been slammed by many businesses in the UK, where opposition to the draft regulation has been particularly fierce.

Reding’s “right to be forgotten” on the internet plan forms part of a huge legislative overhaul of Europe’s 1995 data protection law, which the commissioner has labelled as outdated.

EU observers, businesses and politicos agree with her that the current legislation is in desperate need of a rewrite, but Reding’s draft proposal has drawn fire from many.

“The old adage of ‘Be careful what you wish for’ is apt in relation to the proposed rewrite of data protection laws. Companies have been struggling with unharmonised regulation across Europe for years, but the Commission’s focus on the rights of the individual has resulted in some ideas that are widely seen as unworkable or which will lead to significant costs,” said Jane Finlayson-Brown, a partner in Allen Overy’s data protection team.

She said the draft bill contains “several draconian new requirements” that could prove “impossible to enforce”.

“The new ‘right to be forgotten’ is particularly contentious,” Finlayson-Brown added.

“While attractive to users of social networks, it will apply generally and will require many organisations to re-engineer business processes and technologies.

“The question that many people will ask, given the economic climate and the associated costs of compliance, is whether this additional requirement is really worthwhile given that individuals’ personal data are so widely and voluntarily made available on the net.”

Law firm Osborne Clarke echoed that criticism. Its head of data privacy, James Mullock, said: “It’s rather odd that Commissioner Reding is claiming that the new rules will cut EU companies’ running costs.

“Leaked versions of what is expected to be announced… clearly show the EC’s train of thought is to increase the overall regulatory burden on business and require more time, personnel and cash to be thrown at compliance.”

He highlighted the amount of policing work that would be required by the likes of the Information Commissioner’s Office in the UK, if the draft bill – as it currently stands – trickles its way into national law books within the 27-member states’ bloc.

“Data privacy is an important individual freedom, and clearly it is important that the current law is updated. But it is fatuous to claim that complying with the rules will actually save companies money,” Mullock added. “On the contrary, these measures are likely to cost EU businesses billions to implement and even more to maintain on an on-going basis.”

The Business Software Alliance also waded in with its own unsurprising attack on Reding’s proposal.

“The Commission’s proposal today errs too far in the direction of imposing prescriptive mandates for how enterprises must collect, store, and manage information,” said the BSA’s European government affairs director, Thomas Boué.

“The rules should focus more on the substantive outcomes that matter most to citizens. The risk in the proposal’s current design is that it will bog down companies with onerous compliance obligations, which could inhibit digital innovation at the expense of job creation and growth,” he added.

“Done well, a harmonised data-protection framework will create a more cohesive Single Market by eliminating unnecessary confusion among service providers and users.

“But there is a critical balance to be struck. The rules should protect people’s privacy rights while also ensuring they have access to the full complement of services the internet has to offer.”

But not everyone has reacted negatively to the proposed regulation.

Document management outfit Iron Mountain said the draft bill might help force internet businesses to take a long, hard look at their current security policies.

“Many businesses of all sizes are falling short of what is required to manage information responsibly,” said the company’s head of information security Christian Toon.

“In today’s increasingly scrutinised business environment, the lack of a solid and legally compliant information management policy is inexcusable.

“Regardless of turnover, sector or country of operation, making sure that employee and customer information is protected should be common practice, not a reaction to new legislation,” he added.

Facebook said: “We welcome Vice President Reding’s view that good regulation should encourage job creation and economic growth rather than hindering it, and look forward to seeing how the EU Data Protection Directive develops in order to deliver these two goals while safeguarding the rights of internet users.”

The Register will bring you full coverage of Reding’s data protection announcement later today. Stay tuned… ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/25/europe_data_protection_proposal/

Viruses are accidentally infecting worms on victims’ computers, creating super-powered strains of hybrid software nasties.

The monster malware spreads quicker than before, screws up systems worse than ever, and exposes private data in a way not even envisioned by the original virus writers.

A study by antivirus outfit BitDefender found 40,000 such “Frankenmalware samples” in a study of 10 million infected files in early January, or 0.4 per cent of malware strains sampled. These cybercrime chimeras pose a greater risk to infected users than standard malware, the Romanian antivirus firm warns.

“If you get one of these hybrids on your system, you could be facing financial troubles, computer problems, identity theft, and a wave of spam thrown in as a random bonus,” said Loredana Botezatu, the BitDefender analyst who carried out the study. “The advent of malware sandwiches throws a new twist into the world of malware. They spread more efficiently, and will become increasingly difficult to predict.”

BitDefender doesn’t have historical data to go on. Even so it posits that frankenmalware is likely to grow at the same rate as regular computer viruses, or about 17 per cent year on year.

All of the malware hybrids analysed by BitDefender so far have been created accidentally. However, the risk posed by these combos could increase dramatically as crooks latch onto the idea of deliberately splicing malware strains together to see what sticks. This is on top of efforts by blackhat coders to add extra features to others’ viruses and unleash the updated builds onto the unsuspecting public.

BitDefender carried out its study after finding a sample of the Rimecud worm that was infected by the Virtob file infector. Rimecud is designed to steal online passwords for e-banking or e-mail accounts, among other functions. Virtob creates a hacker-controlled backdoor on infected systems.

“Imagine these two pieces of malware working together – willingly or not – on the same compromised system,” Botezatu explains. “That PC faces a twofold malware with twice as many command and control servers to query for instructions; moreover, there are two backdoors open, two attack techniques active and various spreading methods put in place. Where one fails, the other succeeds.”

More details on the threat can be found in a post on BitDefender’s Malware city blog here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/25/frankenmalware/

After a flurry of complaints, O2 engineers appear to have shut off the proxy server quirk that leaked to websites the phone numbers of punters browsing the net on 3G connections.

The disclosure that affected all users of O2’s 3G network on iPhone and Android in the UK was highlighted earlier today. O2 has yet to issue an official statement on the matter, but we can imagine wonks working furiously in the background to fix the blunder. The telco described its investigation of the issue as a priority.

Quick tests show that the HTTP header including the telephone number is no longer present in requests sent to website servers via O2 UK’s network. The telco’s proxy systems strip out that info, or simply don’t append it in the first place, before it’s sent out to the world wide web.

We await O2’s statement on the reasons for the number-leaking blooper. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/25/o2_stop_phone_number_leak/

Organisers of security conference CanSecWest have changed the rules for the next outing of its Pwn2Own computer hacking contest.

The prize money will be increased, but smartphone hacks have been dropped from the competition. Instead Pwn2Own will challenge security researchers to develop browser exploits in order to hack into PCs. Target systems will include Windows and Mac machines running Internet Explorer, Apple Safari, Google Chrome and Mozilla Firefox.

Unlike previous years, the contest will be points-based with all platforms in play throughout the competition. Bonus points will be offered for developing zero-day exploits but this won’t be decisive, as explained in the revised rules here.

The three most successful participants will win cash prizes of $60,000, $30,000 and $15,000 in order of ranking, and take away the laptops they manage to compromise. The contest will run during the opening days of CanSecWest, which takes place in Vancouver, British Columbia, between 7 and 9 March. As before TippingPoint is sponsoring the competition.

Google is offering a separate prize of $20,000 for Chrome hacks.

Reaction to the revised set-up has been lukewarm. “I have mixed feelings about the new rules,” said serial Pwn2Own victor Charlie Miller. “Bigger prizes are good. Working on site isn’t my style.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/25/pwn2own_2012/

The long-running case of Gary McKinnon returns to court on Friday.

The Royal Courts of Justice will review government ministers’ handling of the extradition case rather than considering whether or not McKinnon ought to face trial in the US, in spite of his well-publicised medical problems. McKinnon, who suffers from Asperger’s Syndrome, has been fighting extradition for nine years.

Janis Sharp, McKinnon’s mum, told El Reg that the hearing on Friday is likely to focus on whether former Home Secretary Alan Johnson erred in disregarding medical evidence that McKinnon was a potential suicide risk if extradited. Judges will be considering only the action of politicians and not hearing arguments on the extradition request itself, Sharp explained.

“The hearing is about the outstanding judicial review against Alan Johnson and about what’s happening with [Home Secretary] Theresa May re-Gary and I’m not sure what else.

“Last year the court wanted the JR [judicial review] to go ahead but both Karen [Todner] (Gary’s solicitor) and the Home Office wanted it put on hold for a time,” she added.

Home Secretary Theresa May is still considering medical evidence that warns McKinnon is unfit to face the stress of a US extradition, trial and likely imprisonment. The campaign to secure a UK trial for McKinnon has attracted celebrity and political support over the years as well as leading to a national debate on extradition arrangements between the US and UK, which critics argue are one sided and unfair.

McKinnon, 45, admits hacking Pentagon and NASA computers in 2001 and 2002 in the hunt for a supposed cover-up by the US military of encounters with UFOs and harvested alien technology. He maintains that he broke into poorly secured networks using off-the-shelf hacking tools and denies causing any damage, contrary to US claims otherwise. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/25/mckinnon_case_back_in_court/

Nokia has fallen foul of the Australian Communications and Media Authority, incurring a $AU55,000 fine following consumer complaints over its SMS marketing practices.

The watchdog commenced an investigation into the vendor’s SMS marketing activity and found that Nokia’s text ‘tips’ delivered to handset users did not include details of how customers could stop receiving them, as required by the Spam Act.

“SMS allows businesses to reach their customers no matter where they are or what they are doing. But with that opportunity come responsibilities under the Spam Act, including the obligation to include an unsubscribe facility in marketing messages,” said ACMA Acting Chairman Richard Bean.

Following the investigation, Nokia Corporation has submitted to an enforcable undertaking which includes appointing an independent consultant to audit its systems and processes, develop a plan to carry out the independent consultant’s recommendations, train its employees engaged in SMS marketing about complying with the requirements of the Spam Act and make a payment of $AU55,000.

During 2010-11, the ACMA recorded a 370 percent year-on-year increase in reports from the public about SMS messages believed to be spam.

The stern slap from the watchdog comes days after the UK communications regulator Ofcom came down on Nokia and Channel 5 for failing to make it sufficiently clear to viewers that the TV company had taken the Finnish phone giant’s sponsorship Euro, part of Nokia’s Lumia 800 Windows Phone handset promo programme. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/24/nokia_stalks_own_customers/

Anonymous and LulzSec members have hacked US government security web site OnGuard Online and defaced it, forcing it offline, in retaliation for the recent MegaUpload takedown and the controversial Anti-Counterfeiting Trade Agreement (ACTA), the groups have announced.

Anonymous has been ramping up its opposition to ACTA on Twitter via the #ActAgainstACTA hashtag and has been a vocal opponent of the US government’s move to silence file-sharing site MegaUpload last week and arrest the men behind it.

Late on Monday local time, Anonymous tweeted from one of its official accounts that it had hacked the OnGuard Online site, which is managed by the Federal Trade Commission and is similar to the UK’s Get Safe Online.

At the time it defaced the site with a message, also posted to Pastebin, detailing its beef with the authorities. The site is now down, presumably as its admins work out how to clean it up while addressing the security flaws which made the hack possible in the first place.

“umad? don’t like it when your site is wiped of the internet do you? If SOPA/PIPA/ACTA passes we will wage a relentless war against the corporate internet, destroying dozens upon dozens of government and company web sites,” the message read.

“As you are reading this we are amassing our allied armies of darkness, preparing boatloads of stolen booty for our next raid. We are sitting on hundreds of rooted servers getting ready to drop all your mysql dumps and mail spools. Your passwords? Your precious bank accounts? Even your online dating details?! You ain’t even trying to step to this.”

Alongside the message were the email addresses of FTC employees as well as a lengthy log of the hack itself.

The attack was launched under the banner of the AntiSec campaign waged by members of Anonymous and LulzSec against law enforcement and government agencies since last summer.

With SOPA and PIPA both still far from dead and ACTA getting ever closer to ratification by the European Union, the next few weeks could be a busy time for web security teams and hacktivists alike.

In Poland, for example, the majority of government websites were taken offline at the weekend after a DDoS attack from Anonymous protesting ACTA.

The FTC could not immediately be reached for comment. OnGuard Online was still down at the time of publication. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/24/antisec_sopa_acta_hack/

An organisation representing US marketing bodies has launched a new advertising campaign to raise consumer awareness of online behavioural advertising (OBA).

The Digital Advertising Alliance (DAA) campaign, called ‘Your AdChoices’, consists of banner advertising designed to drive users towards “educational videos” and controls over how adverts are personalised to them, it said.

The DAA, which comprises four marketing bodies including the Internet Advertising Bureau (IAB) and Direct Marketing Association, said the initiative would help inform internet users about the way OBA works, but a privacy group told Out-Law.com that the campaign would not address privacy concerns over how consumer data was collected and used.

In 2010, the DAA published a self-regulatory code on OBA requiring advertisers and website operators signed up to the scheme to provide internet users with certain information about the personalisation of ad content.

One of the rules of the code requires OBA companies to post an interactive icon that indicates that ads have been served through personalised targeting. The icon links through to a website that contains information on how data collected from individuals is used to serve personalised ads. The website also enables users to manage controls over what data individual operators can collect about them.

Publishers and advertising networks use cookies to track user behaviour on websites in order to target adverts to individuals based on that behaviour.Companies use cookies to track user activity and build up a picture of that person’s interests, so that they can try to publish advertising towards goods and services they think the person will respond to.

“With widespread industry adoption of the DAA’s self-regulatory principles, the DAA remains committed to informing consumers about interest-based advertising, online data collection and use, and the simple way they can exercise control over their web viewing data,” Peter Kosmala, managing director of the DAA, said in a statement. “This highly creative public education campaign is an important step in that ongoing process.”

“The initial stage of this multi-phase online campaign includes banner advertising that directs consumers to the DAA’s Icon and links to a new, information website, www.youradchoices.com, which features three educational videos and a user-friendly consumer choice mechanism,” the DAA statement said.

The interactive icon features on 900 billion “ad impressions” every month and more than 400 companies, including American Express, Microsoft and Disney, are signed up to observe the OBA code, the DAA said. Earlier this month, the IAB said that companies signed up to the OBA framework should display the interactive icon, along with almost every ad that is served.

Last year IAB Europe issued guidelines on what website operators signed up to the voluntary OBA framework should do to comply with the rules. Posting an interactive icon, complete with accompanying explanatory language, is just one of the rules set out in the code.

Website operators must also give users access to any easy method for turning off cookie tracking on their own site, and must make it known to users that they collect data on them for behavioural advertising, the regulations stipulate. Websites adhering to the regulations also have to publish details of how they collect and use data, including whether personal or sensitive personal data is involved. Details of which advertisers or groups of advertisers they make the data available to also have to be published.

The code has been criticised by EU privacy watchdog the Article 29 Working Party, which has said the methods used for displaying information to users and allowing them to opt out of behavioural tracking are insufficient on their own to confer user consent to being tracked, as required by EU law.

Nick Pickles, director of privacy and civil liberties group Big Brother Watch, told Out-Law.com that although the DAA’s consumer education drive was a “positive step”, it was still “far from clear” whether self-regulation could deliver privacy for internet users.

“Internet users need to be confident that if the law is not being adhered to, there is a proper regulator who can take up their complaint and deliver an effective remedy. For UK web users, it is far from the case that they have such a regulator to protect their interests. Consumers still remain largely in the dark about just how much information is being collected about them online for advertising purposes, not just in browsing habits but also social networking and email scanning,” Pickles said.

Under the EU’s Privacy and Electronic Communications Directive storing and accessing information on users’ computers is only lawful “on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information … about the purposes of the processing”.

An exception exists where the cookie is “strictly necessary” for the provision of a service “explicitly requested” by the user – so cookies can take a user from a product page to a checkout without the need for consent, for example.

The Directive takes its definition of ‘consent’ from EU data protection laws, which state that consent must be “freely given, specific and informed”. The new laws were implemented into UK law in May. The amended Privacy and Electronic Communications Regulations state that website owners must obtain “informed consent” to tracking users through cookies. The UK’s Information Commissioner’s Office has the power to impose penalties of up to £500,000 on websites that breach the new regulations.

In June 2011, the EU Commissioner Neelie Kroes gave EU companies a year to standardise the way internet users could opt out of being tracked. She said the companies could learn from the advertising sector’s self-regulatory rules.

However, the European Data Protection Supervisor criticised Kroes’ recommendation of the OBA code and said the self-regulatory rules “failed to implement the new consent requirement”.

The IAB has insisted that its OBA code was not designed to be compliant with the EU Directive, but that it could be used alongside other methods in order to obtain consent.

Randall Rothenberg, IAB president and chief executive told Out-Law.com that the DAA’s advertising campaign will help users gain control over the things they see online.

“The power of digital is in its ability to give people exactly what they want when they want and where they want it,” Rothenberg said.

“Now, alongside the DAA, the entire interactive industry has come together to strengthen our commitment to consumers – first, by self-regulating to assure their privacy rights and expectations are served; second by providing resources to allow them to understand and manage the use of their personal data; and third, to guide them toward the advertising, news, information, and entertainment that is most relevant to their interests,” he said.

Copyright © 2012, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/24/ad_campaign_launched_to_educate_consumers_about_online_behavioural_dvertising/