STE WILLIAMS

Researchers at Kaspersky Lab are claiming to have found proof that the writers of the Stuxnet and Duqu malware are one and the same, and are warning of at least three new families of advanced malware potentially in circulation.

Security experts have been debating if the two code groups are by the same authors, but the evidence has been inconclusive. An analysis by NSS last month suggested that the two were linked, but this might be down to reverse engineering, rather than the original coding.

Alexander Gostev, chief security expert at Kaspersky Lab, said that researchers had examined drivers used in both Stuxnet and Duqu and concluded that a single team was most likely behind them both, based on the timing of their creation and their methods of interacting with the rest of the malware code.

“We consider that these drivers were used either in an earlier version of Duqu, or for infection with completely different malicious programs, which moreover have the same platform and, it is likely, a single creator-team,” he said in a statement.

The researcher’s data suggests both were built on a common platform, dubbed Tilded because it uses many files beginning with the tilde symbol “~” and the letter “d.” The platform was built around 2007 or later, and was updated in 2010 – possibly to evade countermeasures.

Kaspersky’s director of global research analysis, Costin Raiu, told Reuters that the platform and drivers involved would indicate five families of malware had been made using the platform already, and that others may be in development. The modularity of the systems makes it easy for the malware writers to adapt their creations to new purposes and techniques.

“It’s like a Lego set. You can assemble the components into anything: a robot or a house or a tank,” he said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/30/kaspersky_stuxnet_duqu_link/

Security researcher Stefan Viehböck has demonstrated a critical flaw in the Wi-Fi Protected standard that opens up routers to attack and has prompted a US-CERT Vulnerability notice.

Wi-Fi Protected Setup (WPS) is used to secure access to wireless networks and requires each router to have a unique eight-digit PIN. One mode of use allows a device to connect by just presenting that PIN, opening the way for a client to just try every available PIN. Worse still, the protocol splits the PIN into two halves which reduces the attack time to a couple of hours.

Eight digits should produce 100,000,000 possible combinations, and testing various routers Viehböck found it took an average of around two seconds to test each combination. So brute forcing should take several years unless the router was particularly responsive.

But the protocol used by Wi-Fi Protected Setup reports back after the first four digits have been entered, and indicates if they are right, which means they can be attacked separately. The last of the eight digits is just a checksum, so having got the first four the attacker only then has to try another 1,000 combinations (identifying the other three digits) and the entire PIN is known.

That combination means that our attacker only has to try 11,000 different combinations to find the right PIN, reducing the attack time to a couple of hours.

In documented tests (PDF, surprisingly understandable) Viehböck found that of all the routers he tried only the one from Netgear had any sensible response to being repeatedly presented with incorrect PINs, slowing its responses to mitigate against the attack, but with only 11,000 combinations to try that only extended the attack time to a day or so.

Most services will start to slow up when incorrect credentials are presented repeatedly, but it seems router manufacturers have relied on the huge number of possible PINs to keep them safe. Hopefully that means a simple software fix, but until then the US-Cert is recommending that WPS be switched off, and going back to the MAC Address white list. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/29/wi_fi_not_protected/

Just in case anybody’s got a BOFH working at the moment, pay attention: Microsoft has released a security advisory covering a zero-day vulnerability in ASP.NET.

“The vulnerability exists due to the way that ASP.NET processes values in an ASP.NET form post causing a hash collision,” the advisory says. The vulnerability exposes users to denial-of-service attracks.

An attacker could craft an HTTP request containing thousands of form values, which would consume all of the CPU resources of the target machine. Sites serving only static pages are not vulnerable to the attack. “Sites that disallow application/x-www-form-urlencoded or multipart/form-data HTTP content types are not vulnerable”, the advisory states.

Microsoft is not yet aware of any exploits in the wild.

As a workaround ahead of the patch, according to the advisory, is to set a limit to the size of HTTP request the server will accept. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/28/ms_zero_day/

Someone claiming to speak – or at least post – on behalf of Antisec has published a threat on Pastebin that they are planning to release e-mails obtained in the Stratfor Global Intelligence break-in.

This post, which along with some Twittter posts has further fuelled the media frenzy surrounding the attack, states that the e-mails “will vastly improve our ability to continue” what the poster claims, perhaps hubristically, is an investigation into “corruption, crime and deception on the part of certain powerful actors based in the US and elsewhere”.

More reliably, the AnonymousIRC Twitter channel has a post stating that “Stratfor is not the harmless company it tries to paint itself as. You’ll see in those e-mails.”

That Twitter channel also directs readers to this Pastebin post, which links the attack to anger over the Bradley Manning trial, boasts of running up individuals’ credit cards, and threatens further attacks.

AnonymousIRC also claimed that Stratfor was storing credit card CCV numbers along with customer data: “If #Stratfor would give a shit about their subscriber info they wouldn’t store CC/CCV numbers in cleartext, with corresponding addresses”, it Tweeted.

The operator/s of that Twitter account are also threatening to use the card data to make charitable donations, something which drew this Twittter response from Boston-based NGO the Appropriate Infrastructure Development Group: “Folks pls don’t donate with stolen CC, we get hit $35 per fraud transaction”.

The Courier Mail in Australia is reporting that member of parliament and opposition communications spokesperson Malcolm Turnbull is among the victims of the original data breach. However, Turnbull has told the ABC he believes the published data is out of date.

Billionaire businessman David Smorgon is also listed in the data released on Pastebin. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/28/stratfor_part_b/

In another move by Facebook to predict user behaviour, the human herding site has introduced Suggested Events: a feature that will offer bright ideas for what you should do on Friday night. Zuckerberg knows how your little mind works.

Suggested Events will replace Friends’ Events in the lefthand column of the Facebook home page and, as the name suggests, shows you parties, meet-ups and such social stuff that Facebook thinks you’d enjoy gatecrashing.

Normally, the site will only show you the events that you’ve been invited to, but Suggested Events mines your Facebook venue check-ins, friends’ RVSPs and even music taste to fuel an algorithm that can figure out how you’d like to spend your free time.

Facebook is in the process of testing the feature but is rolling it out to its millions of users.

The optimistic will see this as Facebook encouraging offline interaction – prising web junkies off their internet connections and out into the real world. Critics see it as one more freaky Facebook mind game that reveals just how much the site knows about you and your life. It is certainly a move that positions Facebook more firmly at the centre of events advertising and events discovery. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/28/facebook_suggests_you_get_out_more/

Researchers at Japan’s Advanced Institute of Industrial Technology have developed a seat that can identify the user by the shape and heft of their buttocks.

The seat, currently designed for use in the car industry, contains 360 sensors measuring pressure points, on a scale or one to 256, and uses the data to build a US-style fanny fingerprint of the designated driver. The system is 98 per cent accurate, associate professor Shigeomi Koshimizu told Physorg.

“I’m feeling your bottom Dave”

If the auto makers take a liking to the technology the seat could be in use by 2014, but it’s not just the car industry that could be interested. Professor Koshimizu suggested that office equipment suppliers could be keen on using the technology to make sure that office staff can forget the tedious business of remembering passwords, and having HR know the size of their bum.

One of the advantages of the technology, according to the team, is that it’s less awkward than other forms of biometric technology. Doing a retina scan or using a fingerprint machine is intrusive, but sitting down has been normal for mankind since the evolution of the posterior.

At this time of Christmas cheer El Reg can’t help wondering if a week of gorging might not cause an unreasonable amount of support calls, or lead to a more literal meaning of work being a pain in the arse. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/27/japanese_bum_id_recognizer/

Thirty years after the PC was launched, security and management problems for the endpoint seem to be getting worse rather than better.

PCs have become more functional, creating a greater surface area for attack. And the number of endpoint devices has proliferated, as tablets, netbooks and smartphones have entered the fray.

The need for endpoint enforcement is therefore greater than ever. This roundup explores some of the risks that enforcement solutions can help to tackle, and examines some key factors to consider when designing solutions.

Assessing the dangers

The risks to modern endpoints are many and varied. PCs, and to a lesser extent Macs and mobile devices, are all potential targets for attackers.

Risks include data harvesting, in which PCs are compromised by malicious software that monitors keystrokes, screen activity or network traffic to pick up sensitive details. Data harvesting software may also simply scan the PC’s storage for likely looking files and beam them back to a botherder.

Data harvesting may not even entail compromising the PC with malware. In the right situation, such as public Wi-Fi access, an attacker could simply intercept the computer’s wireless connection to harvest data.

Malicious software can also be used to mount attacks on networks. Infection can be spread to other machines by exploiting the same vulnerabilities used to attack the original computer. Network worms, such as Conficker, spread this way. Devices can also be lost or stolen, as can any removable media.

One way to deal with these risks is by using endpoint enforcement policies.

Quantifying the endpoint

To properly enforce endpoint protection it is crucial to understand what you are dealing with. What is connected to your network? What is its configuration? Scanning for connected devices and cataloguing them may reveal more devices than you expected.

Some discovery mechanisms use agents installed on managed computers to log and document what is being provided to the network.

Network access control providers commonly provide agents for a variety of machines. They communicate with a central policy server to ensure that the machine is in an acceptable state to connect to the network. Any devices that do not meet pre-set security policies for endpoints can be dealt with in ways predefined by the IT department.

However, there is a downside to pure agent-based protection: it is unlikely that every device connecting to the network will be supported. Even if an agent supports Macintosh clients and Android smartphones, there are printers and other peripherals to consider.

There are other, agentless technologies that can replace or complement agent-based systems: active and passive scanning.

Active scanning can simply mean using a tool to footprint your network, or a systems management product dedicated to the task.

Passive scanning, on the other hand, watches traffic passing across the network to understand what is talking. A traffic sniffer or network flow analyser, such as TCPDump or Snort, can provide some insights here.

Discovering machines using these techniques provides more than simple security. Understanding what is on your network will let you classify devices into specific virtual LANs for better traffic flow management.

If, for example, a particularly chatty device is discovered on a network segment on which users are experiencing performance problems, it could indicate a legitimate endpoint that would better be served on its own virtual LAN (or perhaps an unauthorised Wi-Fi access point).

What to look for

Agent-based technologies can return a rich set of information that can be used to assess a machine’s level of vulnerability and therefore the danger to the network. Examples include missing critical patches to systems and applications software, as well as missing anti-malware patches.

Agent-based systems can also deliver information about insecure user configuration in areas such as user privilege data, auto update settings and root certificate audit, not to mention insecure passwords. Much of this information can be delivered, and enforced, using a standard policy server.

Discovery mechanisms can also help to identify compromised devices that may have been infected by malware. Intrusion detection systems may identify these devices based on their behaviour, while scanning systems might do it by simply scanning for malware and comparing it against known signatures.

Remediation

How do we remediate devices when they are found to be compromised or in danger of compromise?

Until they are remediated, machines can be quarantined in a variety of ways. They can be separated at the IP level, by using two address pools allocated via DHCP. An alternative is to control things at the application layer by configuring HTTP access for users according to categorisation.

Sparking off a patch session using an automated system designed to cope with multiple third-party applications, such as Lumension Patch and Remediation, is an obvious task for systems that are out of date.

The same goes for anti-malware products that do not have signature updates. Weak or out-of-date passwords are changed by the users, who can run a wizard provided by the IT department to fix insecure configurations.

Defining policies

Before we can deal with the endpoints we discover, we must develop policies to manage them.

One challenge organisations face is deciding levels of authentication for devices. Binary “in or out” access may not be enough, especially for visitors who require privileged access to computing resources rather than basic surfing capabilities.

This is particularly true in the world of consumerisation, with contractors and employees bringing a variety of unmanaged devices into the organisation. If the vice-president of sales has a new iPad 2, and happens to be the key sponsor on one of your biggest IT projects, are you going to tell him he can’t use it to access the company CRM system?

One answer may be “guest plus” access, a policy that provides better-than-web access to selected clients. This needs some sophisticated monitoring after the initial connection, rather than simply auditing devices once and then allowing them full access to the network. Application-level packet analysis can play a big part here.

These policies can be referenced and enforced using a variety of policy servers. One is a host-resident system that sits on an existing server. Another option is an appliance – a piece of hardware dedicated to handling policy compliance evaluations from connecting clients.

The other option is to embed policy management logic into network equipment such as switches, access points or firewalls.

Application control

The truly well-managed system should have policies governing what software it can and cannot run. This application control can be implemented using a combination of blacklisting and whitelisting techniques, providing a defence-in-depth approach.

A software blacklist, usually implemented in some form of anti-virus package, helps to prevent rogue applications from finding their way onto the system. It protects the machine by scanning it against a selection of known signatures for malicious software.

The whitelist attacks the problem from the other end, allowing only software from a pre-defined list to be installed on an endpoint.

Even if a piece of whitelisted software is compromised, scanning against the blacklist can capture its signature and remove it. If that fails, behavioural analysis may pick up illegitimate activities on the system.

Remote enforcement

Endpoint enforcement is not limited to devices connected to the network. Increasingly, devices are mobile and need managing in the field.

Enforcing security on these devices can be a challenge because their network connections are sporadic, but there are some steps that IT departments can take.

Firstly, configuring devices to make their internet connections via the corporate LAN can help you to manage them effectively. Phones, including the iPhone, support connections via VPNs, which can secure information passing over the phone network or public Wi-Fi hot spots.

For endpoint enforcement on phones, however, IT departments should consider a specialist solution that includes facilities such as password enforcement, and application management to control what is being installed on the phones.

Application management is particularly important, given the rise of malware on some platforms. For example, in March 2011 it was discovered that over 50 Android applications openly available on the Android Marketplace had been compromised with malware called DroidDream, which used a user privilege escalation attack. After stealing all the information it could from the device, the program then proceeded to download more code.

Encryption is commonly offered by mobile device management suites. Encrypting data stored on the phone is a good way to meet compliance requirements, provided it is accompanied by some form of password enforcement.

Encryption is often complemented in such suites by remote locking and wiping of data. Some phones offer this as part of the standard feature set when they are purchased, but the advantage of managing this at the corporate level is that the IT department gets to control the phone.

There are caveats to all of this, however. The first is that these security suites require agents to be installed on the phones. This leaves IT departments mulling the issue of smartphone governance.

A corporate policy might dictate that a sanctioned mobile device with the agent installed has full access, while an employee-owned device falls back to guest-plus access or simple web-only capabilities.

One way for employees using their own phones to get better access could be to require them to install the mobile security software. If users want access to more corporate computing resources, then they will accede.

However, employees need to agree to report their phone lost or stolen at the first opportunity, and acknowledge that they may lose all of the data on their phone – including personal data – in the event that it is remotely wiped.

Because some users would agree to such terms without reading the agreement, some education is necessary. Endpoint enforcement can quickly become a cultural, legal and human-resources issue, rather than merely a technical one.

When media leaves the machine

Not all mobile devices carry computing capabilities. Some are simply removable, but still carry large amounts of corporate data with them. Hard drives, iPods, CDs and USB memory sticks can be used to carry off swathes of corporate information.

We have seen many examples of these problems. HM Revenue and Customs service lost 25 million child benefit records after they were copied, unencrypted, onto two CDs that were then lost in the mail. In 2008, the personal data of more than 11 million GS Caltex customers was found lying on two disks in the street.

Software can help to prevent some of these risks. Locking down ports on desktop and notebook machines stops data being copied across the endpoint onto USB sticks, and such software can also be used to lock down CD drives, stopping data from being burned onto them.

However, it is difficult, or even impossible, to lock down the ports and drives of unmanaged devices, which leads us back to restricting access to sensitive information.

One option to avoid complete lockdown is to use encryption. Forcing encryption on removable media renders the data useless to anyone who happens to compromise it.

It may not, however, prevent malicious employees stealing data, because they can give the encrypted USB stick to someone else using a password. This is where the realm of endpoint enforcement ends and role-based management begins.

Monitoring and reporting

Having identified the various devices on the network and implemented policies to protect them, monitoring becomes an important aspect of endpoint security.

It involves assessing how effective endpoint security policies are and logging administrator-level activities. The idea is to identify potential threats by logging system events, such as policy changes, and application execution attempts.

Reporting is the final piece of the puzzle for endpoint enforcement. Organisations must have a way to evaluate the results of their monitoring so they can see any suspicious activity and assess the outcome of remediation.

Conclusion

Endpoint enforcement is a crucial part of any organisational security policy. It also straddles both the technological and cultural realms, involving a mixture of network traffic awareness, software installation on the endpoint, policy definitions and user education.

It also extends into discussions of what types of user behaviour and user-owned devices are permissible on the network. The astute IT department will consider all of these factors when designing architecture to enforce security policies on the endpoint. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/27/endpoint_enforcement/

While L-tryptophanics were tucking in on Christmas day, private intelligence group Stratfor Global Intelligence was watching its reputation dissipate after online attackers copied e-mails and client lists.

On Christmas Eve, the attackers announced that they had broken into Stratfor’s systems and obtained access to 200 GB of e-mails.

They then extracted information, including Stratfor’s customer and donor lists along with credit card data on Pastebin.

Clients identified in the list include Goldman Sachs, derivatives trader MF Global, Apple, and the US Air Force.

The successful attack has been confirmed by Stratfor founder George Friedman in a letter reproduced at Zero Hedge.

While the Zero Hedge post captures IRC announcements made during the attack that link the break-in to Anonymous, the collective has posted a statement to Pastebin denying responsibility.

The statement attributes the attack to “Sabu”, stating that “Sabu and his crew are nothing more than opportunistic attention whores who are possibly agent provocateurs. As a media source, Stratfor’s work is protected by the freedom of press, a principle which Anonymous values greatly.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/26/stratfor_hack/

Analysis Cybercrooks and patriotic state-backed hackers in China are collaborating to create an even more potent security threat, according to researchers.

Profit-motivated crooks are trading compromised access to foreign governments’ computers, which they are unable to monitise, for exploits with state-sponsored hackers. This trade is facilitated by information broker middlemen, according to Moustafa Mahmoud, president of The Middle East Tiger Team.

Mahmoud has made an extensive study of the Chinese digital underground that partially draws on material not available to the general public, such as books published by the US Army’s Foreign Military Studies Office, to compile a history of hacking in China. His work goes a long way to explain the threat of cyber-espionage from China that has bubbled up towards the top of the political agenda over recent months.

The first Chinese hacking group was founded in 1997 but disbanded in 2000 after a financial row between some of its principal players led to a lawsuit. At its peak the organisation had about 3,000 members, according to Mahmoud. The motives of this so-called Red Hacker group were patriotic, defending motherland China against its enemies.

The hacking the US Embassy and the White House over the accidental bombing of the Chinese Embassy in Belgrade back in 1999 brought many flag-waving Chinese hackers together to, as they saw it, defend the honour of the motherland and fight imperialism in cyberspace.

This role was taken over by the Honker Union of China (HUC) after 2000, and the HUC later became the mainstay of the Red Hacker Alliance. China’s so-called “red hackers” attack critics of the state and infiltrate foreign government and corporate sites – among other activities. The phenomenon of patriotic hackers is far from restricted to China and also exists in Russia, for example. Russian hackers tend to make greater use of defacement and botnets to silence critics rather than spying.

Enter the Dragon

Over more recent years, different groups – which are involved in cybercrime to make money rather than patriotic hacking – have emerged in China, some of which are affiliated with the Triads. These groups are involved in running so-called bulletproof hosting operations, providing services for other phishing fraudsters and the like that ignore takedown notices that ethical ISPs would comply with – as well as various botnet-powered scams, spam and paid-for DDoS attacks for hire. “These firms did not target Chinese firms and were are therefore not prosecuted,” Mahmoud explained.

Over the years patriotic hacker groups and criminal hackers have forged alliances, a process facilitated by the Chinese government and in particular the Peoples’ Liberation Army, according to Mahmoud. One landmark event in this process was the defacement of Western targets and similar cyber-attacks following the downing of a Chinese jet by US warplanes in 2001. These attacks promptly ceased after they were denounced by the People’s Daily, the organ of the ruling Communist Party.

The Chinese government began to see the potential of cyberspace at around this time and established a PLA hacking corp, as Mahmoud described it, featuring hand-picked soldiers who showed talent for cyber-security.

Mahmoud said that despite the existence of this corps the Chinese often prefer to use “freelance hackers” for “plausible deniability”. “We can talk about hackers but it’s better to talk about businessmen selling secrets. An entire underground industry has grown up to support cybercrime,” he said.

There are various roles within such group including malware distribution, bot master, account brokers and “most importantly vulnerability researchers, whose collective ingenuity has been applied to run attacks against Western targets and to develop proprietary next-generation hacking tools”, according to Mahmoud.

Small groups, including the Network Crack Program Hacker (NCPH), that research gaping security holes and develop sophisticated malware strains are reportedly sponsored by the PLA.

Western governments, hi-tech firms, oil exploration outfits and military targets have variously been targeted in a expanding series of so-called Advanced Persistent Threat (APT) cyber-attacks, commonly featuring Trojan backdoors, over the years. These operations have been known as TitanRain, ShadyRAT and Night Dragon, among others.

“It’s sometimes difficult to differentiate between state-sponsored and industrial espionage attacks but what’s striking is that all these attacks happen between 9am and 5pm Chinese time,” Mahmoud noted.

Gaining access to industrial secrets is part of a deliberate targeted government plan, Programme 863, whose mission aim is to make Chinese industry financially independent of foreign technology. It also has a military dimension. “China sees cyberspace as a way of compensating for its deficiency in conventional warfare, for example by developing strategies to cripple communication networks,” Mahmoud said. “That does not mean China wants to fight. Inspired by the ideas of Sun Tzu [author of The Art of warfare] China regards it as a superior strategy to break the enemy without having to fight.”

North Korea is also developing expertise in cyber-warfare, running training schools that resemble those run in China. However there is little or no collaboration between the two countries, according to Mahmoud.

“The Chinese see their expertise in cyberspace as an edge they are not willing to share. That’s why there is no collaboration with hackers outside the country.”

The Wall Street Journal reported last Tuesday that US authorities have managed to trace several high-profile hacking attacks, including assaults against RSA Security and defence contractor Lockheed Martin, back to China. Information obtained during an attack on systems behind RSA’s SecurID tokens was later used in a failed attack against Lockheed Martin.

“US intelligence officials can identify different groups based on a variety of indicators,” the WSJ reports. “Those characteristics include the type of cyberattack software they use, different internet addresses they employ when stealing data, and how attacks are carried out against different targets. In addition to US government agencies, major targets of these groups include US defence contractors.”

US investigators working for the National Security Agency have reportedly identified twenty groups of hackers, a dozen of which have links to China’s People’s Liberation Army. Others are affiliated to Chinese universities. In total, several hundred people are said to be involved in the attacks, some of whom have been individually identified. The information has helped to strengthen the US’s hand in diplomatic negotiations with China.

The data also provides a list of targets for possible counter-attacks.

Bloomberg reports in a similar vein that China is engaged in an undeclared cyber Cold War against Western targets with the goal (unlike the Soviet-era Cold War) of stealing intellectual property rather than destabilising regimes or fostering communism.

Targets have included tech giants such as Google and Intel to iBahn, selected because it supplies Wi-Fi technology to hotels frequented by Western execs, oil exploration biz bosses and government and defence contractors. Chinese hackers stand accused of stealing anything and everything that isn’t nailed down from as many as 760 different corporations over recent years resulting losses in intellectual property valued in the billions.

Next page: Paper tiger, hidden Trojan

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/24/china_cybercrime_underground_analysis/

Shutting down social media during times of civil unrest would be “actively unhelpful” and should not happen, a committee of MPs has said.

The Home Affairs Committee said that evidence from the riots in English cities in August showed that law enforcement had used social media to tackle the problem and that rioters had used traditional media in addition to social media to arrange their activities.

Prime Minister David Cameron said around the time of the riots that the Government would consider stopping people from using social networks in times of public disorder, but the Government later said that it is not looking to introduce new powers to do so. The Committee heard evidence from social media providers, the police and MPs before determining that a shutdown would not be merited.

“Although there is some evidence that BlackBerry Messenger and to a more limited extent Facebook were used to incite criminal behaviour, none of our witnesses recommended shutting down social media during times of widespread and serious disorder,” the Committee said in its ‘Policing Large Scale Disorder: Lessons from the disturbances of August 2011’ report (49-page / 322KB PDF).

“They all agreed that there were positive and negative aspects to the use of such media and that, in the words of Acting Commissioner Tim Godwin, it would have been a ‘net negative to turn it off.’ Even David Lammy, who called for the suspension of BlackBerry Messenger while the disorder was taking place, said: ‘I called for suspension in the heat of the problems. Clearly, the police were able to get order without suspension, so that is not my view now’. It would be actively unhelpful to switch off social media during times of widespread and serious disorder and we strongly recommend that this does not happen,” the Committee said.

During the time of the riots debate centred on whether the Government would introduce new powers in order to shut down social media. Although the Government subsequently said it was not seeking new banning powers there are existing powers that enable it to shutdown communications in certain circumstances.

Under the Communications Act the Culture Secretary can force Ofcom, the UK’s communications regulator, to order communication providers to suspend their service if he has “reasonable grounds for believing that it is necessary to do so” if it is in “the interests of national security” or “to protect the public from any threat to public safety or public health”. Ofcom is obliged to carry out the Culture Secretary’s order by giving specific directions to service providers on what “networks, services and facilities” the order relates to and can force the provider to keep the suspension measures in place “indefinitely”. Ofcom “may impose such conditions on the relevant provider” that appear to it “to be appropriate for the purpose of protecting that provider’s customers”, the Act states.

Consequences of a suspension order

The regulator must, “as soon as practicable” after giving a suspension order, give the service provider “an opportunity of making representations about the effect of the direction; and proposing steps for remedying the situation”. Ofcom can also impose conditions that will enable service providers’ customers to be compensated for loss or damage as a result of the suspension of a service, or “in respect of annoyance, inconvenience or anxiety to which they have been put in consequence of [Ofcom’s] direction”.

Technology law expert Danvers Baillieu of Pinsent Masons, the law firm behind Out-Law.com, previously said that though the legal powers exist to ban the use of communications networks, in practice they would be hard to use.

“The Communications Act contains several sections, in particular section 132, which give ‘emergency powers’ to the government in times of national emergency,” Baillieu said. “Given that this Act was passed in the wake of 9/11 the context is clear and suggests that these powers should only be used sparingly.”

“It is not clear what jurisdiction Ofcom would have if it ordered Facebook to close its site, whether in the UK or globally. Equally, it is not clear that the Act gives Ofcom power to order the network providers, such as BT, to suspend their networks selectively, in order to block access to certain websites.”

“We know from the attempts in the Middle East to block certain sites during the unrest in Iran and the Arab Spring, that organised protestors can easily by-pass local restrictions on sites using proxy servers and other technological techniques – or just by moving over to alternative networks – rendering blocking totally ineffective.”

“Even if companies such as Facebook and Twitter decided to co-operate voluntarily with UK authorities and suspend their services, it would be very difficult for them to know which accounts should be affected, unless they took down their entire service, which does not seem like something they would do voluntarily,” he said.

Copyright © 2011, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/23/twitter_facebook_riots/