STE WILLIAMS

Strathclyde Police are not levying fines on punters watching internet porn, the force has been obliged to explain.

Scam messages, that often appear as pop-ups and pose as messages from the plod, claim a user’s machine has been locked for showing adult content. Marks are told they need to pay a £100 fine over the phone in order to supposedly regain access to their machine.

Whether they are asked to speak to a scammer posing as a hard-bitten Glasgow detective, perhaps impersonating fictional telly ‘tec Jim Taggart, at this point remains unclear.

Details of the scam are vague. Malware of some kind would apper to be involved. The ruse may be an imaginative variant of ransomware Trojans that encrypt document files on infected PCs before demanding a fee for unlock codes. But without any details we can’t be sure of anything except that Strathclyde Police is not levying spot fines for smut surfers. Or at least not yet.

Strathclyde Police said an investigation into the scam was already underway.

“We would like to assure the public that this is an internet scam and has absolutely nothing to do with Strathclyde Police, and that our organisation never asks the public for money,” a police spokesman told the BBC. “We would urge the public not to follow the instructions on screen or call the number given or send any money.”

“Officers are currently carrying out numerous and extensive inquires to trace the source of this scam and would also ask that anyone who has received this scam pop-up on their computer to contact their local police office as soon as possible.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/29/net_smut_pop_up_scam/

Investment house Lyceum Capital has bought UK-based content security firm Clearswift. Financial terms of the deal, announced on Tuesday, were imprecise but a spokeswoman said that around £30m will be ploughed into the business.

Clearswift, which plays in the email and web gateway segment of the security software market, also offers data loss prevention products that compete against Symantec, Sophos and other big players in an enterprise-focused market.

The Brit biz wants to use the investment to expand into key vertical sectors (outside of its core heartland of government and defence) and expand its reach geographically while bolstering its technical capabilities. Targeted acquisitions down the road to meet this goal are a possibility.

In the meantime its new bosses will focus on the hard sell. A statement from Clearswift reads: “Lyceum and our management’s growth strategy will focus on capitalising on the opportunities arising from recent high profile cyber-security breaches, the increase in regulatory compliance and the recent introduction of significant fines in countries, such as the UK, for breaches of data protection legislation.”

The firm employs 170 people, almost two thirds of whom are based in the UK. It maintains satellite operations in Germany, Spain, Japan, the US, Australia and the Netherlands. Clearswift’s customers include BAE Systems, An Post, Warwick District Council, T-Mobile and Australia Post. Sales are predominantly channel-based.

The Clearswift acquisition was financed by a group of investors including Amadeus Capital Partners, DFJ Esprit and Kennet.

The deal follows Lyceum’s earlier investments in the technology sector this year including its £30m acquisition of managed IT services provider Adapt in September and a £50m investment into Access, a cloud-based accounting and ERP software and services business, back in March. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/29/clearswift/

We can expect at least another 10 years of unbridled and irrational fear about the threat of cyber war before things calm down.

That’s according to security expert Bruce Schneier, who reckons it will be people’s attitudes to the threat of hackers, terrorists and rogue nations that will grow up first, and essentially help make us safer, before the technology that might be used to stop potential attacks matures.

He said the new generation, which has grown up in the immediate aftermath of 9/11, will be better adjusted and more rational about the threat of potential attacks.

Speaking at The Register and Intel Live 2011 in London last week, Schneier also blamed senior political and military figures, the security industry and headline writers for inflating fear to unreasonable proportions.

“We’ve had a decade of terrorists and ‘we are all going to die’ in the US – it’s been terrible… it’s very different to what you might see in Israel or here in the UK during The Troubles, where there’s a very different mentality,” Schneier said.

“It takes a generation that grew up in that mentality to recognise it and to change it. I do think it will change; it’s more perception than reality, but it takes a new group to change it.”

Schneier, currently BT security chief and with a long and distinguished career in security, has been a persistent critic on his blog and in the media of overinflated fear-mongering about cyber war.

Schneier didn’t discount or downplay the risk of cyber war at Live 2011, but instead took issue with a phrase that’s widely bandied about, but actually quite hard to define.

While people have claimed cyber war is already in progress or that we are in the middle of a “cyber Katrina” – referring back to the hurricane and following bureaucratic inertia that cripple New Orleans in 2005 – he noted that “wars” require government sponsors, and so far there is no proof that any of the larger-scale attacks on computer systems has received that level of backing.

Instead, he said, while we’re not fighting a cyber war as such, we are seeing war-like tactics used in broader cyber conflicts.

He pointed to China, which was suspected of launching a DoS on Gmail in 2010; there was no proof, though, that it was an official policy. “There are lot of attacks emanating from China, but those paying attention believe they are less state-sponsored than state-tolerated – people who attack with impunity but who pass anything they find on to their handlers,” Schneier said.

On the other side of the Bamboo Curtain, there’s been Stuxnet – a worm reputedly authored by the US and Israel and used to take down Iran’s Bushehr nuclear power plant.

Complicating the picture is the fact that the weapons and tactics of cyber war do not rest in the hands of governments. Individuals – those with a grudge or hacktivists like Anonymous – are in on the act.

The 2007 denial of service attack on Estonian government system has been frequently quoted as an example of cyber war waged against a nation. It was a good example given the on-going levels of animosity between Russia and its former Soviet republic. The attacks, though, were work of just one person: a lone student, and not even a Russian at that. He was an Estonian student with a beef against the government over a WWII soviet war memorial. Also, there were the attacks on financial institutions that wouldn’t handle payments of WikiLeaks once the site fell foul of the US government.

New-age armaments

Schneier is not complacent. He doesn’t say that cyber war won’t happen – rather, that we are still in the early stages of planning. The US Department of Defense, for example, has established a Cyber Command and there’s talk of China wanting to dominate cyberspace. He says the difference is that cyber war will not exist in isolation of an actual war; when the tanks start rolling then computing infrastructure will be become just another theatre.

“I’m not saying cyber war will never exist; preparing for cyber war is reasonable… having a US cyber command makes sense. When war breaks out it will occupy all theatres,” he said.

Schneier said the difference is how one evaluates this complex situation, the defensive measures deployed, and steps that the really big players – such as nations – can take to diffuse the situation.

On defence, it pays for certain players not to be simply “as secure as everybody else” but to ensure they have absolute security. This applies to organisations like those financial institutions targeted by WikiLeaks fanbois, attacked on ethical or political grounds, or on the basis of anger.

At a national level, Schneier also endorsed an idea from former US cyber-czar Richard Clark, who has proposed cyber treaties between countries that would outline certain agreements, for example no first use of weapons or no attacks against civilian infrastructure.

“Even a cyber-war hotline would be a good idea between the various countries cyber commands,” he said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/29/bruce_schneier_cyber_war_hype/

Two shopping malls have dropped plans to track shopper’s movements after a US senator voiced privacy concerns about the practice, which involves monitoring individuals’ cellphone signals.

The Footpath tracking system will no longer be used at the Promenade Temecula mall in southern California or the Short Pump Town Center mall in Virginia. An article published last week on CNN.com said both malls planned to deploy the system beginning the day after Thanksgiving, which is typically the busiest shopping day of the year.

The product of UK-based Path Intelligence, Footpath uses antennas to detect the TMSI, or Temporary Mobile Subscriber Identifier, of each cellphone in the vicinity to anonymously track shoppers as they move from store to store. The TMSIs, which are short-term numbers issued to a mobile device when it enters a cell tower’s coverage area, are put through a one-way hash function to prevent them from being intercepted, and all data collected is encrypted and anonymized. The only way for users to stop the tracking is to turn their devices off.

The owner of both malls suspended the plans after receiving a letter over the weekend from US Senator Charles Schumer of New York. In a statement published on his website, he warned that the tracking service might be abused. He also called on the Federal Trade Commission to investigate if Footpath violates privacy laws.

“Personal cell phones are just that – personal,” Schumer wrote. “If retailers want to tap into your phone to see what your shopping patterns are, they can ask you for your permission to do so. It shouldn’t be up to the consumer to turn their cell phone off when they walk into the mall to ensure they aren’t being virtually tailed.”

A spokesman for Forest City, which owns and operates the malls, said the company is suspending the project until it offers shoppers a way to opt out of the tracking that doesn’t require cellphones to be turned off.

For her part, the CEO of Path Intelligence defended Footpath as a system that allowed brick-and-mortar retailers to track customers in much the way e-commerce websites have been doing for years.

“Online retailers do not require you to ‘opt-in’ to being tracked,” Sharon Biggar told a reporter for The Hill. “Rather they observe/track behavior from the moment a shopper enters an online website. We are simply seeking to create a level playing field for offline retailers, and believe you can do so whilst simultaneously protecting the privacy of shoppers.”

We’re guessing Biggar’s PR handlers didn’t tell her about the do-not-track and Right to be Forgotten directives under consideration in the US and EU respectively. The use of browser cookies to track web visitors, often without their consent, has turned out to be highly controversial, as a huge raft of lawsuits suggests. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/29/cellphone_tracking_nixed/

A New York gallery is displaying a piece of “art” that consists of a one-terabyte portable hard drive chock-full of pirated code.

Manuel Palou’s “5 Million Dollars 1 Terabyte”, currently on display at the Art 404 gallery in New York, consists of a single drive placed on a plinth, containing stolen code from Adobe, Nintendo, and others. Pedantically speaking – given its name – the drive actually contains 1,016GB of data, and the estimated cost of the data is just $4,971,760.

Very pretty, but is it art?

According to the drive’s manifest, the largest chunk of purloined data comes from a 137GB Nintendo DS ROM collection, along with 130GB of PC games from 1979-2001 and 124GB from the artist’s music collection. The most valuable data is a collection of ebooks from 2003-2011, a 133GB haul which the artist claims has a value of $300,000.

The piece is on sale, with the price set at the retail cost of the hard drive, presumably as a statement on the mirage of value applied to data by media companies in an interconnected, synergistic universe where the information superhighway creates cultural ghettos by offloading data at spurious values to reinforce global business hegemony … or some such.

The gallery told El Reg that there are no buyers interested in the piece as yet, but we know there’s one born every minute, and with the current hard-drive shortage beginning to bite, there may yet be someone willing to splash out on this objet d’art. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/28/pirated_software_hard_drive_art/

A company that provided free cellphone encryption to dissidents in Egypt abruptly suspended its services on Monday so that Twitter could integrate some of its privacy enabling technology into the microblogging site.

Twitter’s acquisition of San Francisco-based Whisper Systems came on Monday, the same day Egyptian citizens participated in their nation’s first parliamentary elections since the ouster of Hosni Mubarak, whose repressive regime ruled the country for three decades. That means Egyptian dissidents who relied on Whisper Systems RedPhone to encrypt voice calls made with their Android smartphones abruptly lost the ability to protect calls from government-controlled eavesdroppers at a time they might need it most.

It was only nine months ago that Whisper Systems said it was rushing out an international version of the encryption software to support the historic protests that were then sweeping the African nation’s populace.

“The timing is atrocious,” said Chris Sogohian, a privacy researcher with the Open Society Foundations. “Today is Egypt’s first election after it threw out its old regime, and the only encrypted voice communication tool for Android goes dark. This couldn’t have happened at a worse time for people in Egypt.”

Statements issued by a Twitter spokesman didn’t address why the RedPhone service was being shut down now, and Moxie Marlinspike, a security researcher and Whisper Systems co-founded, didn’t respond to an email seeking comment for this post.

In a terse statement on its website, Whisper Systems said: “The Whisper Systems software as our users know it will live on (and we have some surprises in store that we’re excited about), but there is unfortunately a transition period where we will have to temporarily take our products and services offline. RedPhone service will be interrupted immediately, but FlashBack users have a month to pull off any backup data they would like before that service also goes offline.”

RedPhone is an app that encrypts voice communications on phones running Google’s Android operating system. The service makes it easy for Android users to make and receive encrypted calls regardless of carriers involved, but it requires the use of a third-party server to briefly set up the protected session. Taking down the server had the immediate effect of disrupting the service, even though users still had the software installed on their handsets.

As the statement from Whisper Systems made clear, those who used a separate cloud-based encrypted backup service known as Flashback have 30 days to make alternate arrangements. There was no indication that a separate app known as TextSecure, which encrypts text messages, would be affected. It doesn’t rely on servers to encrypt and decrypt messages.

News that Twitter was acquiring Whisper Systems came as a surprise for another reason: Technologies such as voice encryption and cloud storage aren’t considered a core Twitter competency or service. In many respects, software that actively prevents messages from being read by all but a single person seems to be well outside Twitter’s stated goal of providing a real-time network that connects users around the world to the latest information.

Whisper Systems’ use of the word “temporarily” to describe the RedPhone closing suggests that the service may return. The most likely scenario is that the apps and supporting software will be released as open-source wares so that a volunteer somewhere in the world can run the supporting website.

But until then, dissidents and others who need RedPhone to encrypt their Android calls have no ability to use the service – and they have the Twitter acquisition to thank for the disruption. ®

Follow @dangoodin001.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/28/twitter_buys_whisper_systems/

Police in the Philippines have arrested a group of four suspected hackers accused of funnelling profits from attacking corporate telephone networks to an Islamic terrorist group blamed for the attacks on Mumbai three years ago.

The four suspects allegedly targeted PBX systems maintained by ATT and gained access to corporate phone lines that they resold at a profit to call centres. The low-level scam resulted in estimated losses of $2m and ran between at least October 2005 and December 2008, and possibly earlier.

The operation was allegedly financed by Jemaah Islamiyah, a proscribed Pakistani terrorist organisation blamed for the terrorist attack in Mumbai, India, in November 2008.

“Revenues derived from the hacking activities of the Filipino-based hackers were diverted to the account of the terrorists, who paid the Filipino hackers on a commission basis via local banks,” according to a statement on the arrests by the Philippine National Police’s Criminal Investigation and Detection Group (CIDG), which added that the type of scam involved had been running since 1999.

Members of the CIDG’s Anti-Transnational and Cyber-Crime Division (ATCCD) and FBI agents raided the homes of the suspects, who all live in Greater Manila, seizing computer and telecoms equipment. The agents made four arrests on Wednesday, 23 November. The suspects were named as: Macnell Gracilla, 31, a resident of Quezon City; Francisco Manalac, 25, and his live-in partner Regina Balura, 21, of Calooocan City, and Paul Michael Kwan, 29, who also lives Caloocan City.

Kwan was previously arrested four years ago in 2007 on suspicion of helping to finance terrorist activities* but was apparently released only to – allegedly – resume his involvement in the long-running phone phreaking scam. He and his alleged cohorts continued to act as commission-only hacking contractors, albeit for a different boss.

Following the arrest of Pakistani Jemaah Islamiyah member Muhammad Zamir in Italy, also in 2007, an unnamed Saudi Jihadist took control of running the phone phreaking scam. Banking records linked the Philippines hackers to their alleged Saudi terrorist funding boss.

“FBI agents who have been investigating incessant hacking of telecommunication companies in the US since 1999 uncovered paper trail of various bank transactions linking the local hackers to the Saudi-based cell whose activities include financing terrorist activities,” according to CIDG.

The FBI requested the assistance of Philippines authorities in March 2011 but arrests were only made last week, some eight months after the request for help.

The scam involved was almost certainly neither technically complicated nor lucrative. $2m-worth of calls, most probably fenced for much less, is a drop in the ocean compared to the hundreds of millions of dollars scareware vendors rake in every year. In addition there must be some doubt whether the alleged hackers knew they were working for a terrorist funding mastermind or were doing low paid work who whoever bankrolled them on a no-questions-asked basis. ®

Bootnote

Kwan’s 2007 indictment here only talks about a phone phreaking plot run through Italian and Spanish call centres. It makes no mention of terrorist implications unless the source of some named payments, referred to only as J.I., is actually Jemaah Islamiyah.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/28/philippines_at_and_t_terror_hack_arrests/

A second X-47B unmanned stealth attack plane is now flying, and the US Navy expects the robot aircraft to demonstrate operations from an aircraft carrier on schedule in 2013.

Maverick walked out onto the flight line … and into a bad dream

Northrop Grumman, delivering the X-47B demonstrators for the USN, has just announced the successful first flight of the second aircraft, rather unoriginally dubbed “Air Vehicle 2”. According to the defence-aerospace behemoth the flight took place last week above Rogers Dry Lake adjacent to Edwards airforce base in California.

“With two aircraft now available, we can increase the amount of aircraft performance data we gather, which will allow us to meet our required aircraft capability demonstration goals in a timely manner,” said Northrop robo-bomber honcho Carl Johnson.

The X-47Bs are intended to show that a stealthy unmanned jet can carry out the full spectrum of operations from an aircraft carrier at sea, including catapult launch, arrested recovery and other necessary feats such as air-to-air refuelling. Many of these achievements, in particular carrier landings, are regarded as very difficult tasks among human pilots and a US carrier air group must spend much time and expense keeping its aviators trained up in them. Furthermore there is nowadays growing concern over carriers’ possible vulnerability to various kinds of long-range missiles, meaning that US admirals are keen to keep them as far as possible from potentially hostile coastlines.

This last factor means that the carriers’ aircraft need more range and endurance in order to deliver strikes ashore, and aircraft along X-47B lines are expected to excel in these areas compared to manned aircraft.

According to Northrop:

The X-47B is a computer-controlled unmanned aircraft system that takes off, flies a preprogrammed mission, and then returns to base – all in response to mouse clicks from a mission operator. The operator actively monitors the X-47B air vehicle’s operation using simple situational awareness displays, but does not fly it via remote control, as some unmanned systems are operated.

In 2013, the program is scheduled to demonstrate the first carrier launches and recoveries by a tailless, unmanned, low-observable-relevant aircraft. Autonomous aerial refueling demonstrations are planned for 2014.

US naval aviators, who feel that their wings of gold shine with extra lustre due to the fact that they make their takeoffs shot from catapults and their landings onto pitching decks with the aid of tailhook and arrester wire, may be viewing the progress of the X-47B with mixed feelings. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/28/x47b_number_2_flies/

A job-seeking Hungarian hacker has pleaded guilty to breaking into the systems of the Marriott hotel chain before attempting to blackmail his way into an IT job.

Attila Nemeth, 26, sent Trojan-infected emails to Marriott employees late last year, according to his plea agreement, in a move that successfully allowed him to extract confidential and financially sensitive information from the hotel chain’s network. He then apparently threatened to reveal this information unless he was given a job maintaining Marriott’s systems.

Marriott reported the approach to the US Secret Service, which set up a sting operation. An agent posed as a Marriott human resources worker, entering into email and phone conversations with Nemeth, ostensibly about the possibility of a job.

Nemeth agreed to travel to the US in January, supposedly for a job interview, after accepting a plane ticket bought at Marriott’s expense. According to his plea agreement, during the “interview”, Nemeth was coaxed into revealing how he broke in Marriott’s systems and the level of confidential access he’d obtained. He also admitted sending the malware-loaded emails. He was subsequently arrested and charged with computer hacking and threatening to expose confidential information offences, the Wall Street Journal reports.

The Marriott estimates spending between $400,000 and $1m in consultant fees and others costs dealing with the security breach and figuring out what damage Nemeth might have caused.

The Hungarian pleaded guilty to both offences on Wednesday and was remanded in custody ahead of a sentencing hearing, scheduled for 3 February. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/28/hungarian_hacker_hotel_sting/

Checking out women “for sexual purposes” was just one of the ways Welsh police have breached people’s data protection rights.

Having all that knowledge at their fingertips proved too much for some in Wales’ four police forces, leading to 85 recorded breaches since 2006, the BBC found out in a Freedom of Information request.

Apart from looking up prospective girlfriends on police records, the cops couldn’t resist prying into the lives of possible housing tenants for anything they should worry about, as well as going through family members’ information and even passing on some data to third parties.

Two offenders have been sacked as a result of these breaches and one has resigned.

South Wales Police said its professional standards unit knew of 26 incidents in the last five years, as cops delved into data held on children, associates and other people for personal reasons, including friends of their daughters.

Dyfed-Powys Police didn’t have any records for 2006, 2007 or 2010, but said one worker was dismissed in 2008 over data breaches and another was given a written warning for making checks for personal gain.

One other official was given advice after he put sensitive information in a personal email – presumably: “Don’t put other people’s information in a personal email if you don’t want the sack,” or alternatively, “Don’t use your personal email for confidential work stuff, ya div.”

Then in 2009, another cop got the sack while a staff member resigned over breaches.

North Wales Police said 45 people had gained access to information for reasons other than police work and information had been disclosed three times.

Gwent Police was the only Welsh force to have no breaches, or at least as far as it knew anyway. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/28/welsh_police_data_breaches/