STE WILLIAMS

QuotW This was the week when in a rather ironic about-turn, peer-to-peer veterans decided to start a suit against companies like Google, Amazon, Dropbox and VMWare for using their intellectual property to make their cloud and virtualisation offerings.

While the US discovered that one of the devices it uses in critical infrastructures like water facilities has a weakness that could allow hackers to take control of it remotely.

And boffins got one step closer to, but by no means definitively found, but nevertheless are more certain of, up to a specific statistical probability of course, the Higgs boson.

This was also the week when the tech world tried out some negative marketing, with Samsung using ads in Australian newspapers that publicly celebrated its court victory in overturning the ban on the Galaxy Tab 10.1 in the country. The tagline for these rather pointed missives read:

This is the tablet Apple tried to stop.

And Microsoft started the #droidrage campaign on Twitter, promising free Windows phones for the best (or should that be worst?) stories from victims of Android malware. Security consultant Graham Cluley pointed out that it’s not often Microsoft gets to go on about other tech firms’ security issues:

I guess it must be kind of thrilling for Microsoft – which has endorsed the #droidrage campaign – to find the malware boot on the other foot for once. After all, they have long suffered having the Windows desktop operating system negatively compared to the likes of Unix and Mac OS X when it comes to the levels of malware infection.

However, on the very same day, a hacker discovered that Windows Phone OS had a security flaw that could let malicious persons disable the messaging system by sending an SMS, Facebook chat message or Windows Live message, so that was a short-lived moral high ground.

Sticking with phones, Nokia exec Niels Munksgaard also decided to get in on the rival-bashing the old-fashioned way, with some disparaging statements to the media. According to the Nokia Entertainment Global sales director:

What we see is that youth are pretty much fed up with iPhones. Everyone has the iPhone. Also many are not happy with the complexity of Android and the lack of security.

So naturally, all those yoofs were just waiting for Munksgaard to tell them how Apple and Android suck so they could run out and buy Nokias.

Meanwhile, Research in Motion continued to hang itself with one disaster after another, as two of its executives pleaded guilty to causing all sorts of drunken mischief and mayhem while aboard an Air Canada flight to Beijing, including chewing through their restraints. The flight was eventually forced to land in Vancouver. The Canadian prosecutor said:

The repercussions for the company as well as every single person on the plane, both financially and perhaps even emotionally, are going to be huge.

The two men have already been sacked by RIM and were ordered to pay $71,757 in restitution and got a year’s suspended sentence and probation.

From the bad publicity to the good publicity, Google has announced festive funding for charities, including money to spend on educating girls, empowering people through technology, promoting science, technology, engineering and maths and… fighting slavery.

Yes, the Chocolate Factory is putting a tenth of one per cent of its revenues, around $11.5m, towards stopping slavery and human trafficking. As it said on its blog:

The bad news: there are more slaves today than at any other point in history. The good news: by returning to their villages and helping educate others, freed slaves protect hundreds of thousands of at-risk people from being tricked or forced into similar misery.

Our support will free more than 12,000 people from modern-day slavery, and prevent millions more from being victimised.

And that’s not all Google wants to spend its money on – its co-founders also hoping to snaffle NASA’s Hangar One to park their extensive air fleet in. The space agency wants to preserve the historic hangar, where US Navy airships used to reside, but it’s being cautious about selling off two-thirds of Hangar One’s floorspace to Sergey Brin, Larry Page and Eric Schmidt. One member of the subcommittee pointed out that any restorative work on the site should be in keeping with its historical significance:

We don’t want to see ‘Google’ in 200-foot letters on that hangar.

A co-founder of Apple also featured this week, dropping some pearls of wisdom on how to succeed in business. Steve Wozniak told radio listeners that what a company really needs to get on in this world is employees that are allowed to wear t-shirts to work.

Look at societies like Singapore where bad behaviour is not tolerated and can get you extreme punishments: Where are the creative people? Where are the great artists, where are the great musicians, where are the great writers?

All the creative elements seem to disappear. Though, of course, everybody is educated and has a good job and nice pay and a car.

Thinking for yourself is creativity and that’s goes right down to what we were talking about dress, the clothing that you wear – you wear what you want to wear.

Not to be outdone, a co-founder of Microsoft was also making waves, announcing his plan to build the largest aircraft ever flown. Paul Allen wants to use a humungous aeroplane to lift bigger rockets than any before launched in mid-air and thereby deliver much larger cargoes to orbit – maybe even manned spacecraft. Allen optimistically orated:

I have long dreamed about taking the next big step in private space flight after the success of SpaceShipOne – to offer a flexible, orbital space delivery system. We are at the dawn of radical change in the space launch industry. Stratolaunch Systems is pioneering an innovative solution that will revolutionize space travel.

And finally, Wikipedia fonder Jimmy Wales was pondering a global Wiki-blackout to protest new US laws against online piracy (SOPA or Stop Online Piracy Act) that are being considered by Congress. Many internet companies feel the Act puts too much responsibility for piracy on content hosts, ISPs and search engines and uses a ‘guilty till proven innocent’ model. Wales was attempting to gather support for a Wiki-strike from his Wikipedian masses, saying:

My own view is that a community strike was very powerful and successful in Italy and could be even more powerful in this case (referring to a similar move made by the Italian Wikipedia, which resulted in that country’s parliament backing down from the law it opposed).

As Wikipedians may or may not be aware, a much worse law going under the misleading title of ‘Stop Online Piracy Act’ is working its way through Congress on a bit of a fast track. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/16/quotw_ending_december_16/

A computer science student from Lancaster University has become the UK winner of the digital forensics challenge, a global competition designed and hosted by the US Department of Defense.

Christopher Richardson (AKA Ikarus) came first in the UK and ninth internationally among 1,791 competitors from 52 countries. The challenge was designed to test the ability of competitors to extract and scrutinise data to solve a simulated cyber crime. Aspects of the challenge involved understanding file signatures, metadata hashes, data hiding, communication recovery, and information concealment.

“It was difficult in parts but really enjoyable,” says Richardson, who is currently studying for a PhD in intrusion detection systems. “I have always had an interest in a wide range of security areas both inside and outside of my academic speciality and this competition gave me a platform to test my skills on practical problems with real world relevance. After getting stuck a couple of times, I didn’t think I had done that well, but to win the UK stream and do so well across the whole competition feels great.”

Richardson will receive £2,000 of security training from 7Safe as a reward for his efforts, which have also earned him a place in the UK Cyber Security Challenge UK’s face-to-face play-offs next year. He qualifies, alongside several runners up, for the Sophos Malware Hunt on 14 January, where competitors will be asked to identify and explain a range of real malicious code from the vaults at Sophos’ Labs.

The Cyber Security Challenge UK is designed to unearth fresh sources of cyber security talent from people not already working in the industry. the initiative is supported by both the UK’s government, universities and high tech firms. “The Challenge is a key component of a new approach that the profession must embrace – it’s about focusing on natural aptitude first, and then bringing in certifications and training courses like the ones we are offering Chris, to mould that aptitude into a professional skills set,” explained Alan Phillips, chief exec of 7Safe. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/16/computer_forensics_challenge/

A number of Apple fanbois have been shut out of their iTunes store and iCloud accounts since last night as their login details fail to work as expected.

Attempts to access the services are thwarted with either a ‘fatal internal error occurred’ message being shown or the software simply saying that the password hasn’t been recognised.

One Reg reader said that Apple’s support lines were “congested”, but when they eventually got through, the support person said that Apple ID computers were down.

Apple had not answered a request for comment at the time of publication.

The twitosphere is alive with complaints about the problem (#appleid) and seem to indicate that the issue is happening all over the world – judging by the number of tweets appearing in various different languages.

So far, Apple itself has made no public statements about the problem, leaving most Apple-lovers to thank social networking sites for giving them the news that they’re not alone in having issues. The outage comes as Apple rolls out its iTunes Match service to the UK and other countries. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/16/apple_id_fail/

London police are turning to Wi-Fi to beam alerts to revellers in the capital, warning them of the danger of rape while out partying and drinking over Christmas.

Wi-Fi hotspots near popular clubs in central parts of London, such as Ministry of Sound, Proud Galleries and the Trocadero Centre, are being targeted by Scotland Yard officers.

Met-issued adverts about the Wi-Fi technology have been posted in various boroughs across the capital. They ask punters to twiddle with their mobiles’ Wi-Fi or Bluetooth settings to receive alerts to be sent by the police.

“This concerted prevention drive is about sending a message to perpetrators of rape that sex with someone who is unable to consent is rape. If a person is unconscious or their judgement is impaired by alcohol they are legally unable to consent,” said Scotland Yard detective superintendant Jason Ashwood.

“Men and women should never feel that they cannot enjoy themselves on a night out; however we would always advise people to take care of themselves and their friends and ensure they are comfortable with their surroundings and situation. Have fun, but be responsible and stay safe. It is an unfortunate fact of life that there are individuals out there who will try and take advantage of people when their inhibitions are lowered.

“This is about us trying to prevent offences from happening in the first place. I do however want to make something very clear: the only person ever responsible for a rape is the perpetrator.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/16/scotland_yard_wifi_hotspots_rape_warnings/

Credit card issuer company Visa is investigating the possible breach of a payment processor in Europe that may have compromised more than 10,000 cards in Eastern Europe.

In a statement issued on Thursday, according to IDG News, the issuer said: “Visa Europe has been informed of a potential data security breach at a European processor and an investigation is underway. We are working closely with our member banks to ensure cardholders are protected.”

The statement didn’t name the processor or the country where it’s located.

The statement came a day after a news article published by Romania Business Insider cited Visa Europe’s general manager as saying Romania’s CEC Bank blocked 17,000 payment cards because of suspicions they had been compromised.

A statement issued by CEC Bank, according to SC Magazine, said: “The bank has been informed that a number of cards issued by banks in Romania and abroad have been potentially compromised through an international database. CEC Bank has decided to block the cards and reissue a new card and PIN, at no cost, for a number of cards in its portfolio.”

The statement went on to say that the attack didn’t target the bank’s customers specifically and wasn’t the result of any vulnerabilities inside the bank’s system. The Romanian Association of Banks issued its own statement (PDF) that said multiple banks have been alerted to a potential security breach that may have exposed credit card data.

The potential breach of the processor comes almost three years after US-based processor Heartland Payment Systems disclosed a massive security breach that ultimately cost a whopping $105 million in fines and other expenses. Serial hacker Albert Gonzalez eventually pleaded guilty to masterminding the attack on Heartland and various other holders of payment information in a breach that compromised some 130 million cards.

Court documents later identified a garden-variety SQL-injection exploit as the entry point into Heartland’s network. Last year, Gonzalez was sentenced to 20 years in federal prison. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/15/credit_card_processor_security_probed/

Telstra’s beleaguered BigPond customers, who suffered a major security breach last week when customer details were leaked to the web, are now subject to a targeted phishing campaign.

Sophos reports that an email is doing the rounds urging BigPond users to confirm their billing information or risk the suspension of their account.

While the email campaign is a typical Spam-style, phishing effort, Sophos claim it may get more timely traction given the vulnerability of BigPond users who fear that their customer information had been compromised and thus requiring a validation.

Last week’s breach exposed the private details of around 60,000 BigPond customers. Telstra advised customers via Twitter affected customers would need password resets to reduce risk from the privacy breach.

Telstra has reminded users that it does not ask for logins via unsolicited e-mail. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/15/bigpond_customers_under_attack/

The US stealth drone broadcast last week on Iranian state television was captured by spoofing its GPS coordinates, a hack that tricked the bird into landing in Iranian territory instead of where it was programmed to touch down, The Christian Science Monitor reported.

The 1700-word article cited an unnamed Iranian engineer who said he’s studying the inner workings of the American bat-wing RQ-170 Sentinel that recently went missing over Iranian airspace. He said the spoofing technique made the craft “land on its own where we wanted it to, without having to crack the remote-control signals and communications” from the US control center.

CSM reporter Scott Peterson and an Iranian journalist publishing under the pen name Payam Faramarzi said the GPS weakness of aircraft has long been known to US military officials. They cited a 2003 report titled GPS Spoofing Countermeasures that appears to warn of the type of attack claimed by the Iranian engineer.

“A more pernicious attack involves feeding the GPS receiver fake GPS signals so that it believes it is located somewhere in space and time that it is not,” the report states. “This ‘spoofing’ attack is more elegant than jamming because it is surreptitious.”

A paper (PDF) presented at a security conference in October further elaborated on GPS spoofing attacks, laying out the ingredients necessary for a “seamless takeover” of drones and other airborne vehicles.

US officials have blamed the loss of the sophisticated drone on a malfunction, but have yet to explain how it managed to stay in relatively pristine condition after its recovery by the Iranians.

Over the past 36 months, Iran has suffered a series of setbacks that some analysts blame on a covert war carried out by the US, Israel, or other adversaries. The recent assassinations of its nuclear scientists, explosions at missile and industrial facilities, and the Stuxnet worm that sabotaged uranium enrichment plants are three examples.

“Now this engineer’s account of how Iran took over one of America’s most sophisticated drones suggests Tehran has found a way to hit back,” the CSM article states. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/15/us_spy_drone_gps_spoofing/

Facebook is finally rolling out its Timeline feature worldwide, after the company first announced the latest tweak to its social network in September.

As we reported last week, beyond select partners and developers, New Zealanders using Facebook were the only section of Zuck’s vast global stalkerbase to get their hands on Timeline.

Now it’s being pushed out to all users of the site.

Facebook described Timeline as “an easy way to rediscover the things you shared, and collect your most important moments. It also lets you share new experiences, like the music you listen to or the miles you run.”

Zuckerberg has referred to this latest rejig of Facebook as “Frictionless sharing” – it’s the future for his social network. The idea being that users have a much more beefy record of their life as chronicled on the dominant website.

The word “profile” has been replaced throughout Facebook with the word “timeline” to reflect the network’s makeover.

Meanwhile a quick test by this reporter of the new feature discovered that Facebook has moved the “view as …” option for individual profiles out of its privacy settings menu. It’s now been relegated to a drop down menu on a user’s main page, making it far better hidden than before the Timeline overhaul.

The “view as…” option allows paranoid users to check that their privacy settings are, well, as watertight as they can be on what is ostensibly a site that’s all about “sharing” with family and friends, but is really about harvesting data for advertisers.

Facebook has replaced “view as” within its privacy setting pages with a “editing your timeline info” button, which allows users to edit details about their work, education, love life, and so on.

Facebook said it had “simplified” its privacy settings page. Here’s why:

“You can choose who sees your status updates, photos and profile info using the inline audience selector — when you share or afterwards.”

Those controls, Facebook said, are “now up front”.

It’s added a feature called “activity log” that allows users to adjust the privacy setting on each post. Facebook is expecting users to be happy to carry out so much admin on the network, but many will argue that the fun of updates and, dare we say it – online social interaction – just got zucked dry. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/15/facebook_timeline_worldwide/

Police have targeted at least four climate bloggers in three countries, with constabulary taking computers and networking equipment from a science blogger in the UK.

Roger Tattersall, aka “Tallbloke”, a Digital Content Manager at the University of Leeds, posted that six police officers identifying themselves as being from Norfolk Police and the Metropolitan force entered his home at midnight and took away two laptops and a router.

Norfolk Constabulary told us in a written statement that “Norfolk Constabulary executed a search warrant yesterday (Wednesday 14 December) in West Yorkshire and seized computers. No one was arrested. This is one line of enquiry in a Norfolk Constabulary investigation which started in 2009.”

That’s a reference to the “Climategate” investigation by Norfolk police into the release of emails, raw data and computer code from the Climatic Research Unit at the University of East Anglia, which two years on has yet to yield any results. A second batch of emails from the CRU including a large encrypted container was distributed last month. Amongst the recipients were Tattersall and Jeff Id of the Air Vent.

Norfolk Police told Tattersall they will clone the seized drives and return them.

Last week WordPress hosting site Automattic, based in San Francisco, notified several climate skeptics including Tattersall, Id and Canadians Steve McIntyre (Climate Audit) and Donna Laframboise (No Consensus) that the US Department of Justice Criminal Division had requested evidence for the period in November when the second batch of emails were uploaded.

The Green Police are presumed not to be involved:

We asked the Met for a statement but they referred us to Norfolk.

The Norfolk Police force and its computer forensic contractors have also helped the UEA with its internal enquiries – as you can read here.®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/15/climategate_police_action/

The makers of the controversial smartphone app Carrier IQ have reportedly been quizzed by federal regulators over concerns that its technology tracked user activity and uploaded data to mobile operators behind the back of consumers.

The Washington Post reports that senior Carrier IQ execs have met with representatives from US consumer watchdog The Federal Trade commission and staff from the Federal Communications Commission (FCC) to explain its position. Controversy over Carrier IQ’s mobile network diagnostic tool reignited earlier this week after it emerged, via freedom of information requests, that the FBI is using data captured by the app.

The FBI denies asking for data obtained by Carrier IQ’s software, at least directly. It seems that information snaffled by the utility was handed over by carriers in response to lawful interception requests, The Guardian reports.

Carrier IQ said it had sought meetings with regulators in order to allay possible concerns and defuse privacy fears. It denies being hauled in as part of a more formal investigation.

“Carrier IQ sought meetings with the FTC and FCC to educate the two agencies… and answer any and all questions,” Andrew Coward, the senior vice president for marketing, told the Post. He added that he was unaware of any official investigation into the firm.

Coward met FTC and FCC staffers alongside Carrier IQ chief executive, Larry Lenhart, as well as congressional staff. US senator Al Franken wrote to Carrier IQ last month soon after the controversy about its technology first emerged.

Security researcher Trevor Eckhart was the first to raise concerns about Carrier IQ’s technology. After initially serving Eckhart with a cease and desist letter the firm has since come around and explained how its technology operates in a way that has defused many of the original concerns. It’s not a mobile rootkit or keylogger, contrary to initial reports and descriptions of the technology by Google’s chairman Eric Schmidt, respectively. However transparency and privacy issues remain valid concerns.

Carrier IQ explained earlier this month that its technology is only designed to diagnose operational problems on networks and mobile devices, such as dropped calls, data transmission speeds and battery life. “While a few individuals have identified that there is a great deal of information available to the Carrier IQ software inside the handset, our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video,” it said (PDF statement here).

Actually that last bit turns out to be not entirely true because the software firm was obliged to admit that a security bug meant its application did collect the contents of SMS messages in some circumstances. An SMS message would get embedded in signalling if, for example, a user received a message during a call. The data would be encoded and not easily readable by a human, as explained in a blog post by Kaspersky Lab’s Threatpost blog here.

Smartphone manufacturers and US network providers confirmed that phones and networks using Carrier IQ technology include Apple, ATT, Sprint, HTC, Samsung and T-Mobile. The formerly obscure software runs on more than 141 million handsets, according to stats prominently displayed on Carrier IQ’s site.

Apple is reportedly going to use a future software update to remove the unholy utility from Jesus phones, where diagnostic reports generated via the software are only sent back with the permission of users. The technology is even more deeply embedded in Android smartphones. Users have the ability to detect the app using third-party detection tools from anti-virus firm but don’t have the ability to actually remove it.

Comment

None of this is what you’d call terribly reassuring but we’re still inclined to believe, as Carrier IQ insists, that its technology is not designed as a tool for lawful interception but as a means for carriers to diagnose handset and network problems. Each implementation is different and so the diagnostic information actually gathered by Carrier IQ’s technology varies between different mobile operators. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/15/carrier_iq_privacy_latest/