STE WILLIAMS

Famous Pentagon boffinry powerhouse DARPA has made a new announcement on its “One Shot” programme, which ensures that a million-to-one shot will – as on Terry Pratchett’s Discworld* – hit the target nine (well, six) times out of 10.

Seems that Chad on the right there may be out of a job, these days.

The existing One Shot prototype systems are designed to replace the telescope used by the spotter of a military sniper team. The new, enhanced instrument from DARPA doesn’t merely magnify the target area or measure the range precisely as one can with a normal laser rangefinder: it can also overcome the sniper’s greatest bugbear, that of trying to work out the effect crosswinds will have on the bullet as it flies towards the target.

The One Shot systems does this by analysing the returns from its laser shining on the target and computes just where the sniper’s rifle should be aimed so that the bullet will still arrive on target. This information is fed from the spotter’s instrument to a display attached to the telescopic sighting scope on the actual rifle.

According to DARPA, trials with prototype One Shot systems have shown that two-man sniper teams packing such kit could in fact score first shot hits at least six times in 10 at extreme ranges – as much as 90 per cent of a weapon’s maximum reach. They have spoken previously of 1500m, but this would suggest first shot hits in crosswind at ranges well beyond 2,000m. (The current combat sniping world record holder – publicly known, anyway – is Corporal-of-Horse Craig Harrison of the Household Cavalry, who killed two Taliban machine gunners at 2,474m in 2009. But he took several shots to get on target, and conditions were windless.)

Normally such performance would surely qualify as “million-to-one”: but not anymore, it seems. However DARPA has now announced that some military testers are still not entirely happy with the One Shot as it stands. According to the agency:

Some users of this technology have expressed interest in a significantly smaller “field ready system” that can be “clipped-on” directly to the weapon, eliminating the need for a spotter/observer in future sniper operations. In response to this requirement, DARPA is initiating a new program (One Shot XG) to address this unique implementation approach.

This would dispense with the spotter and his scope altogether, allowing a solo sniper to carry all the necessary computing and instrumentation kit as a small accessory attached to his weapon.

There can’t be much doubt as to who the “some users” referred to by DARPA are: they are the secretive super-troopers of the US Special Operations Command. We know this because in this solicitation (PDF) issued by the Special Operations Research, Development and Acquisition Center earlier this year a requirement for a very similar system to One Shot XG is outlined – and it is specifically stated that “Long Range Sniper Ballistic Solution Systems” are wanted by SOCOM, one of the purposes of which is to “assist the sniper in operating more effectively without the support of a spotter”.

It would seem that the fashion in the US special-ops community is moving away from conventional two-man sniper teams and towards solo operations, at least in some roles or missions: and that – given that it’s not just DARPA working on this – computing sniper scopes are genuinely on their way. Once the trendy special forces have something, the regular forces will generally develop a strong desire for it. ®

Bootnote

This principle was first established in Guards! Guards!, where the Night Watchmen of Ankh-Morpork are attempting to shoot down a dragon with an arrow.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/24/darpa_one_shot_spec_ops_mini_version/

Supposed iTunes gift certificates doing the rounds in the run-up to Thanksgiving are actually loaded with malware.

Spoofed emails purportedly offering $50 vouchers for the iTunes Store, which arrive with email subject lines such as “iTunes Gift Certificate”, come with an attachment supposedly containing a certificate code. In reality, these zip file attachments are infected with the Windows PC-compatible malware, detected by Sophos as BredoZp-B and first spotted by German infosec group eleven-security*.

The scam – illustrated with screenshots and explained in more depth by net security firm Sophos here – is likely to be repeated by similar scams in the run up to Christmas, at least if previous years are anything to go by. ®

Bootnote

* We’d like to think eleven-security employed someone called Nigel Tufnel as a spokesman but this is probably just a Spinal Tap-inspired flight of fancy on our part.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/24/fake_itunes_gift_cert_malware/

Apache developers scramble to fix proxy flaw

Admins, nail down your systems

By John Leyden • Get more from this author

Posted in Enterprise Security, 24th November 2011 16:46 GMT

Free whitepaper – ASCI uses 10 GbE grid computing and hi-def media streaming

Apache developers are working on a fix of a flaw in its web server software that creates a possible mechanism to access internal systems.

The zero-day vulnerability only rears its ugly head if reverse proxy rules are configured incorrectly and is far from easy to exploit … but it is nonetheless nasty. A possible patch for the vulnerability was suggested by an Apache developer from Red Hat on Wednesday but has yet to be fully tested. In the meantime, web admins would be well advised to nail down their systems.

The as-yet-unpatched bug was discovered by Prutha Parikh, a security researcher at Qualys, who came across it while in the process of researching another reverse proxy issue.

Parikh has published a detailed explanation of the flaw – alongside proof of concept code – in a post on the Qualys blog here. ®

Free whitepaper – VMready

• Be the first to post a comment!

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/24/apache_bug/

Irish websites have become a prime target for phishing fraudsters over recent months with multiple incidents of fraudsters setting up counterfeit banking sites on compromised but otherwise legitimate websites.

Of the 441 security incidents reported this year by the Irish Reporting and Information Security Service (IRISSCERT, the national computer emergency response team), the vast majority (92 per cent) involved Irish websites being broken into by criminals to host phising sites – which trick users into entering their private details into what they think are legitimate websites.

Denial of Service attacks over the same period, up until the end of October, accounted for just six reports (1.4 per cent of the total). IRISSCERT reckons 96 per cent of the reports it handled this year can be blamed one way or another on profit-motivated cybercrime gangs rather than either hacktivists or script kiddies carrying out cyberattacks for kicks, notoriety or political reasons.

Brian Honan, of IRISSCERT, said: “The volume and type of incidents we deal with on a daily basis are a clear indication to Irish businesses that cybercrime is a real threat to our systems, our businesses and the economy. We can no longer afford to treat information security as an afterthought and need to ensure we take the appropriate steps to secure our systems.”

Get your corporate security in order

Honan said that running a properly configured network with up-to-date anti-virus software and the latest patches applied ought to be the starting point of a corporate security policy. User education and penetration testing to test for security weaknesses, particularly on web-facing systems such as websites, together with procedures to quickly fix problems once they are identified, is also important, said Honan. Sharing best practices on security is also essential.

“Criminals are sharing information and working together so they can exploit our systems and steal our money,” Honan explained. “Businesses need to better share information with the community so we all can learn, IRISSCERT provides this facility.”

Statistics on its work to date this year were released by IRISSCERT during its annual conference, which was held on Wednesday in Dublin. During the conference IRISSCERT announced that it had joined the International Cyber Security Protection Alliance (ICSPA). ICSPA is a global not-for-profit organisation that provides technical expertise and other resources to law enforcement agencies investigating cybercrime. Other members include EuroPol, Trend Micro, Visa and McAfee.

IRISSCERT is already a member of the Anti-Phishing Working Group (APWG) with experience in fighting cybercrime.

For example, IRISSCERT assisted the Dutch authorities this year in cleaning-up suspected command and control servers for the Bredolab botnet, which was dismantled late last year.

IRISSCERT, a not-for-profit company established in 2008, is staffed by volunteer members of the local information security industry. The organisation provides alerts on new vulnerabilities and threats, supplies guidelines on security best practice and statistics as well as offering a coordination service to help deal with ongoing cyber-attacks. IRISS is funded by a combination of donations and corporate sponsorship. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/24/irish_cybercrime_scene/

An international team of boffins has ranked the various extra-terrestrial planets and moons known to humanity in order of ability to sustain life. It’s bad news for the human race, as the planets of the Gliese 581 star system are near the top of the list: and if an intelligent race is present there, we have already mortally offended it.

TURN IT DOWN! Right, that’s it. Warm up the strategic tachyon accelerators, Commander. Set beam intensity to ‘eradicate’.

The new habitability study has involved the collaborating scientists devising two different indexes for rating worlds, in proper scientifiction style*. We now have the Earth Similarity Index (ESI), showing how much like Earth a body is, on which Earth is 1, Mars is 0.7 and our Moon is 0.56.

The scientists have also worked out a Planet Habitability Index (PHI), based on such things as planetary magnetic fields, atmosphere, likely local temperatures etc. Titan, icy natural-gas slush moon of Saturn, scores high on this at 0.64.

But, very worryingly, the planets of the dim, red M-class star Gliese 581 – lying just 20 light-years away in the constellation Libra – score high up the listings in both systems. Under ESI, the exoplanets Gliese 581g, d and c are the next three most habitable known worlds after Earth: and they are also well up under PHI.

Normally this would not be cause for alarm, but – as regular readers of Reg exoplanet coverage will know – should there be intelligent aliens at Gliese 581 they will soon have an intense and well-justified grievance against us.

This is because back in 2008 the management of the doomed teenybopper social-networking portal Bebo, for reasons which seemed good to them at the time, collected a huge and infamous compilation of web-2.0 content from their site’s users, addressed at possible aliens resident at Gliese 581. They then hired the unscrupulous Russian astronomer Alexander Zaitsev to beam this horrendous guff-blast at the red star from a powerful Ukraininan radar telescope.

Sample comments offered as humanity’s possible first messages to a powerful and sophisticated alien culture:

Our bodies are made of bones … We have senses. Smell, Taste, Sight and Touch. Without any of these things, we wouldn’t live.

I love Television. We watch animated cartoons and real-life drama on it. I could sit and watch Television all day.

Hi im nicole … someday i would love to appear on the west end stage, in a hit show.i also wouldnt mind doing a few television programs whether it is as a extra or a main part i dont mind i would love to appear on doctor who as i love it. anyway laters.Nicole x

All these, and many other foulnesses such as pictures of cats, boy crooners, amusing vegetables etc, are on their way unstoppably towards Gliese 581 and will arrive at that star system in March 2029. Even if the aliens have not yet developed star travel, planet- or sun-smasher missiles, world-volatilising krenon rays etc, this will surely be a powerful spur to the development and instant employment of such weapons against the civilisation which could, unprovoked, commit such an interstellar solecism.

Truly these are worrying times. The new rankings are published in the journal Astrobiology. ®

*As E E “Doc” Smith would say, “Earthlike to ten decimals”.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/24/exoplanet_habitability_rankings/

Software developers have released a JavaScript implementation of the OpenPGP encryption message format that allows users to encrypt and decrypt communications within web-based mail services.

GPG4Browsers is currently available only as an extension for the Google Chrome browser for integration with Gmail. It works with all asymmetric and symmetric ciphers and hash functions specified in the formal OpenPGP standard, with the exception of the IDEA algorithm. It is compatible with the GnuPG implementation of OpenPGP.

“The implementation currently implements a Chrome browser extension which uses the HTML5 local storage of the extension to store private and public certificates (keys),” developers with Germany-based Recurity Labs, wrote in the documentation (PDF). “Chrome browser extensions enabling JavaScript applications to run in their own context separated from the website.”

The prototype implementation can be used to encrypt and decrypt messages, digitally sign messages and verify the signatures of received messages, and import and export keys. It doesn’t support the generation or manipulation of keys or work with messages that are symmetric-only encrypted.

If GPG4Browsers can bring email encryption to the masses, its creators will be doing the world a huge favor, but El Reg isn’t holding its breath. True, dedicated email programs that support public-key encryption are complicated enough that only power users are typically able to implement and stick with them. Like previous browser plugins implementing crypto, GPG4Browsers appears to shift all the complexity out of the email client and into the browser.

“Generally (ie every case I can think of) plugins don’t take off,” Trevor Perrin, an independent cryptographer, wrote in an email. “Reasons being that plugins usually have a less-than-perfect integration with the host application (in this case Gmail) so not a great user experience – they end up being rough around the edges, or have subtle interference with printing, or forwarding, or attachments, or something.”

There may also be resistance from crypto users – who already are a security-conscious lot – to trusting private keys and confidential messages to a set of PGP functions folded inside some JavaScript running inside a browser.

“I trust the idea of a piece of software that holds passwords or private keys when it is partitioned from the rest of the browser more than when it is implemented inside something that is routinely manipulated by an attacker, namely the JavaScript environment,” said Adam O’Donnell, a developer and the chief architect for antivirus provider Immunet’s cloud technology group. “I really don’t know enough other than to say ‘that scares the hell out of me.'”

The Recurity Labs developers make clear that their plugin isn’t suitable for use on public machines. And since a user’s keys must be imported to each instance where the implementation is used, we’re not sure we see a clear benefit to using a plugin over using a dedicated piece of software to achieve the same results.

Of course, webmail isn’t likely to go away anytime soon, so the biggest contribution of GPG4Browsers may be to bring a long overdue feature to the Mozillas of the world.

“Hopefully, this will get the attention of browser vendors to provide better integrated crypto instead of requiring an extension,” said Nate Lawson, a cryptographer who is principal of Root Labs. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/23/browser_crypto_plugin_debuts/

A Silicon Valley software maker has withdrawn legal threats against an Android developer who claimed the company’s diagnostic application amounted to a rootkit that posed a privacy threat to millions of handset owners.

In a statement issued on Wednesday, Mountain View, California-based Carrier IQ apologized to Trevor Eckhart for threatening to sue him for publishing training manuals he said supported his rootkit characterization. The about face came a few days after the Connecticut-based Android developer received legal support from the Electronic Frontier Foundation, which asserted his postings were protected by the US Constitution’s First Amendment.

“Our action was misguided and we are deeply sorry for any concern or trouble that our letter may have caused Mr. Eckhart,” the statement read. “We sincerely appreciate and respect EFF’s work on his behalf, and share their commitment to protecting free speech in a rapidly changing technological world.”

Eckhart’s posting claimed that Carrier IQ software was able to log detailed information on millions of phones powered by Google’s Android, Research in Motion’s Blackberry, and Nokia operating systems. A user’s GPS coordinates, key taps, and websites visited were just some of the details phone makers and carriers used the software to track, he claimed.

Eckhart also objected to the lack of disclosure given to handset owners that their devices contained the software. In some cases, he said, Carrier IQ versions were modified so phones showed no signs the software was installed and running. That led to claims Carrier IQ was no different than rootkits installed to secretly track and control devices.

Carrier IQ officials responded that the software didn’t log keystrokes, track users’ whereabouts or report on the content of emails or text messages at all. Rather, they said, the software helped network providers to diagnose a range of problems, including identifying causes of premature battery drainage, dropped calls, and other system problems.

In an email sent to The Register shortly after Carrier IQ dropped its claims, Eckhart held his ground.

“I stand by my statements still and hope that Carrier IQ will engage anyone who has questions with direct answers to facts posted,” he wrote. “The community needs to know exactly what is recorded, who has access to it, and why we cant remove – especially from devices not under carriers contract.”

He made no apologies.

“I saw something wrong, clearly logging data without user consent,” he wrote. “Anything logging sensitive data should not be hidden and have clear opt-in guides. I was lucky to have the support of the EFF though who I cannot thank enough for this.” ®

Follow @dangoodin001.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/24/carrier_iq_about_face/

Gary McKinnon’s mum has secured a human rights award for her campaign to reform extradition laws.

Janis Sharp secured recognition by human rights group Liberty for her tireless campaigning on behalf of her son, who is accused of hacking into the Pentagon. McKinnon has Asperger’s Syndrome and has been fighting against extradition to the US for the last nine years.

The campaign to secure a UK trial for McKinnon has become a cause celebre as well as inspiring a national debate on extradition arrangements between the US and UK.

A judicial inquiry into extradition law by Sir Scott Baker concluded that the treaty arrangements were not unfair. However Dominic Grieve, the UK’s Attorney General, said the review offered “guidelines only” and was not binding on judges, giving a boost to the Save Gary campaign in the process.

Liberty said Sharp was being awarded its Close to Home award “for her passionate and sustained campaign to protect her son … from extradition to the USA”, the Daily Mail reports.

Meanwhile McKinnon’s fate lies in the hands of Home Secretary Theresa May, who is considering medical evidence that warns McKinnon would be a suicide risk if faced with the stress of a US extradition, trial and likely imprisonment. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/23/mckinnon_mum_human_rights_award/

The scale of data-handling gaffes at local authorities has been revealed by a new report that uncovered 1,035 incidents where confidential information about British citizens was lost.

Privacy campaign group Big Brother Watch (BBW) submitted 433 Freedom of Information Act requests to councils across the UK that covered a three-year period from August 2008 to August 2011.

The FOIs asked the authorities to report the number of cases where sensitive information had been lost by council staff, as well as explain the nature of the data loss. BBW also requested details about how many employees had been subsequently disciplined, sacked or prosecuted for such data breaches – and it asked what response each council had given to individual incidents.

In total, the campaigners received 395 replies from local authorities.

“We have uncovered more than 1,000 incidents across 132 local authorities, including at least 35 councils who have lost information about children and those in care,” said BBW in a statement accompanying its report (PDF).

“Highly confidential information has been treated without the proper care and respect it deserves. At least 244 laptops and portable computers were lost, while a minimum of 98 memory sticks and more than 93 mobile devices went missing.”

Despite that, BBW found that local authorities only reported a paltry 55 incidents to the Information Commissioner’s Office, which handles data loss complaints.

The group added that only nine incidents – where data was mishandled by council staff – resulted in the individuals concerned being sacked.

“I welcome this research by Big Brother Watch,” local government minister Grant Shapps told the data protection advocates.

“This reinforces the need for steps to protect the privacy of law-abiding local residents. Civil liberties are under threat from the abuse of town hall surveillance powers, municipal nosy parkers rummaging through household bins and town hall officials losing sensitive personal data on children in care.”

Here’s a snapshot of some of the data losses uncovered by BBW, where the incidents weren’t subsequently reported to the ICO:

• In Bolton a smartphone “slid off a car bonnet” and was said to be “irretrievable without dismantling the car park”. The authority said the phone contained internal contact details of Bolton council workers. It said the “phone was sent a remote wipe command within one hour and the owner of the car park subsequently sealed the cavity with concrete.”
• Schoolchildren’s ID cards in Fife were delivered by post to the wrong addresses, the Scottish authority admitted. It said personal data that may have been leaked included pupils’ names, photos, and possibly their dates of birth, as well as information about entitlement to free school meals. However, no action was taken, other than staff visual checks on all cards swiped by pupils at the school.
• In Kent, scanned case notes relating to children were found on Facebook. They contained data that would identify individuals, the council admitted. The authority contacted the police and the director of children’s social service was also informed about the incident.

The Register asked the ICO to respond to BBW’s findings. It said:

It’s vital that local authorities properly live up to their legal responsibility to keep personal data secure, particularly where it is sensitive information about children and young people.

Four out of the six monetary penalties that we’ve issued so far have involved data losses at councils.

Our concern isn’t just that councils have the right policies and procedures in place; it’s about bringing about a culture among staff whereby everyone takes their responsibilities seriously and effective data handling becomes second nature.

We’re calling for powers to conduct compulsory audits in the local government sector and will this week submit a formal business case to the Ministry of Justice asking the government to give us such powers.

The watchdog pointed us at its own list of local authority data cock-ups where “enforcement action” was taken over the past two years. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/23/big_brother_watch_report/

Analysis There was always an element of tragedy in the first “Climategate” emails, as scientists were under pressure to tell a story that the physical evidence couldn’t support – and that the scientists were reluctant to acknowledge in public. The new email archive, already dubbed “Climategate 2.0”, is much larger than the first, and provides an abundance of context for those earlier changes.

“I can’t overstate the HUGE amount of political interest in the project as a message that the Government can give on climate change to help them tell their story,” a civil servant wrote to Phil Jones in 2009. “They want the story to be a very strong one and don’t want to be made to look foolish.”

Having elevated global warming to the most dramatic, urgent and over-riding issue of the day, bureaucrats, NGOs, politicians and funding agencies demanded that the scientists must keep the whole bandwagon rolling. It had become too big to stop.

“The science is being manipulated to put a political spin on it which for all our sakes might not be too clever in the long run,” laments one scientist, Peter Thorne. While Professor Jagadish Shukla, a lead IPCC author, IGES founder, and one of the most senior climate experts writes that, “It is inconceivable that policymakers will be willing to make billion-and trillion-dollar decisions for adaptation to the projected regional climate change based on models that do not even describe and simulate the processes that are the building blocks of climate variability.”

With the release of FOIA2011.zip, the cat’s now well and truly out of the bag.

To their credit, some of the climate scientists realised the dangers of the selective approach politicians demanded, which meant cherry-picking evidence to make it suitably dramatic, and quietly hiding caveats. “We need to communicate the uncertainty and be honest,” pleads Thorne, in another email from 2005. Thorne noted that a telltale “signature” of greenhouse gas warming was absent. “Observations do not show rising temperatures throughout the tropical troposphere unless you accept one single study and approach and discount a wealth of others. This is just downright dangerous.”

“What if climate change appears to be just mainly a multidecadal natural fluctuation?”

Elsewhere, discussing the homogeneity of temperature readings from different sources, Thorne mulls the need to “balance the text so this is not the message”, and expresses his discomfort with making claims that conceal the uncertainty. But such were the demands of activists, agencies and the political class, uncertainty was not on the menu.

This was why the first Climategate caused such repercussions. The revelations came as little surprise to those few who follow state of temperature reconstructions, but they rocked supporters who had put their trust in climate scientists. Clive Crook, a believer in the manmade global warming hypothesis and supporter of carbon reduction measures, expressed it like this:

“The closed-mindedness of these supposed men of science, their willingness to go to any lengths to defend a preconceived message, is surprising even to me. The stink of intellectual corruption is overpowering.”

Next page: Intellectual corruption

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/23/climategate_2_first_look/