STE WILLIAMS

The North American Securities Administrators Association (NASAA) has closed down a website that was using its content to dupe investors.

The association, which is an international group that aims to protect investors, issued a cease-and-desist letter to the State Securities Commission website, which seemed to be posing as a national regulator to trick people.

“Several fake regulator websites have been brought to the attention of state and federal securities regulators in recent years,” Jack Herstein, president of the NASAA, said in a canned statement. “Many of these sites purport of offer relief to investors. In reality, they are fronts for con artists posing as regulators.”

“We are concerned that con artists are attempting to cash in on our reputation for effective investor protection to lure others into an illicit scheme,” he added.

The website, statesec.org, now appears to be shutdown, but you can still see a cached version here, which said:

The State Securities Commission either acts as trustee or works with an independent court-appointed trustee in a missing asset case to recover funds. The statute that created SSC provides that customers of a failed brokerage firm receive all non-negotiable securities that are already registered in their names or in the process of being registered.

The site also has a news section and investor alerts, which Herstein said were slightly modified versions of recent NASAA news releases and alerts. It adopted information from other securities sites such as the Securities Investor Protection Corporation (SIPC) as well.

The commission also claims to consist of “the securities administrators in the 50 states, the District of Columbia, Puerto Rico, the US Virgin Islands, Canada and Mexico”, NASAA said, and that it “was chartered by Congress to combat fraud”.

“This information is patently false,” Herstein said. “Cons will go to great lengths to make themselves appear legitimate.”

Any investors who want to make a claim through the commission are asked to include a copy of their most recent brokerage account statement, along with copies of confirmation slips for securities transactions, correspondence and other documentation. Some investors also are asked to include a check with their completed forms.

“Requests to submit personal account information and money to a ‘regulator’ are red flags of investment fraud,” Herstein said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/11/fake_securities_regulator_site/

The creators of the Duqu malware that penetrated industrial manufacturers in at least eight countries tailored each attack with exploit files, control servers, and booby-trapped Microsoft Word documents that were different for each victim, according to research published on Friday.

What’s more, two of the drivers the sophisticated, highly modular rootkit used in one attack showed compilation dates of 2007 and 2008, Alexander Gostev, the Kaspersky Lab expert and author of the report said. If the dates are genuine, they suggest the Duqu architects may have spent the past four years developing the malware.

Like forensics investigators combing through a homicide scene for the tiniest scraps of evidence, security researchers around the world are examining every email and computer file associated with Duqu for clues about who created and and for what purpose. They have yet to establish a direct link to the Stuxnet worm that was unleashed to sabotage uranium-enrichment plants in Iran, but the aggregate picture of Duqu that’s emerging is that like Stuxnet, it was painstakingly developed by a world-class team of disciplined and well-financed engineers.

The Duqu version examined in Friday’s report was recovered by the Sudan Computer Emergency Response Team from an undisclosed company that the attackers targeted in advance. Like attacks on other targets, it was launched using a booby-trapped Word document with content that was tailored to the receiving organization and exploited a previously unknown vulnerability in the kernel of all supported versions of Microsoft Windows.

The first attempt at infection in the incident studied by Kaspersky failed because the email containing the Word document wound up in a spam folder. On May 21, four days after the first email was sent, the attackers tried again with a slightly modified message. Both the subject line and the title of the attached file referenced the targeted company specifically. Interestingly, the DLL file that served as the trojan’s main module was dated April 17, the same day as the first attempt to infect the target.

When the recipient of the second email opened the Word document, a malicious payload immediately hijacked the computer, but sat dormant for about 10 minutes, Gostev said. The exploit didn’t actually install the spy components until the end user went idle. The infected computer used a command and control server researchers have never seen before. So far, investigators have identified at least four such servers, and each one was used to send and receive data from only one target.

In late May, a second computer in the attack examined by Kaspersky was infected over the targeted company’s local network. Gostev didn’t say how the Duqu infection was able to spread. Separate research from Symantec has suggested the malware is was able to spread across networks through SMB connections used to share files from machine to machine.

For all the skill and care the attackers took, they also showed an intriguing sense of humor. The malicious shellcode for their exploit was embedded in a fictitious font called “Dexter Regular,” and contained the line “Copyright (c) 2003 Showtime Inc.” The hidden message is an obvious reference to the Dexter television series, which depicts a ritualistic serial killer who works as a crime-scene investigator for the Miami Police Department.

“This is another prank pulled by the Duqu authors,” Gostev wrote. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/11/duqu_analysis/

Steam, the online platform of video game firm Valve Corporation, has admitted that customer personal details including encrypted credit card information might have been exposed by a hack attack last weekend.

The hack led to the creation of a new “promoted” discussion thread on the Steampowered forum, ostensibly promoting a site offering gaming cracks. In addition, some users began receiving spam promoting the same site.

The Steampowered site was suspended, initially without explanation. However, in an updated message posted on Thursday (below), forum administrators admitted the site had been hacked and that the collateral damage caused extends well beyond that caused by a simple defacement.

Back-end databases – holding sensitive data including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information – were also breached. Users are advised to change their passwords and to keep a close eye on their bank statement, in case crooks manage to use the stolen data to commit fraud or perhaps to run identity theft scams.

Dear Steam Users and Steam Forum Users:

Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.

We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.

While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they log in. If you have used your Steam forum password on other accounts you should change those passwords as well.

We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn’t be a bad idea to change that as well, especially if it is the same as your Steam forum account password.

We will reopen the forums as soon as we can.

I am truly sorry this happened, and I apologize for the inconvenience.

Gabe.

News of the breach coincides with the release of Skyrim, the fifth game in Bethesda Software’s popular Elder Scrolls series; unlocking the game and playing it online required access to Steam’s online services.

Steam’s game servers were taken offline, as a precaution, following the breach on its forums but they were back online in time for the Friday launch of the game, avoiding the need to delay the launch, as net security Sophos reports.

More than 1,400 games are available through Steam, which has an estimated 35 million active user accounts. How many of these accounts also use the Steampowered forums affected by the breach is unclear, but the figure probably runs comfortably into the millions.

Paul Ducklin of Sophos has some pointers for gamers on precautions to take following the Steam breach, the latest attack on only gaming firms over recent months, here.

The most notorious incidents in an annus horribilis for gaming firms was the April hack on the PlayStation Network, which exposed the private data of millions, leading to the network’s weeks-long suspension. Victims of lesser attacks have included Nintendo, Bethesda and Sega, among others. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/11/valve_admits_steam_hack/

The British Computer Society has launched a pilot scheme to certify information assurance professionals in government.

The full scheme will be launched in January 2012 and will focus on developing and delivering an Information Assurance Specialist Certification Scheme for anyone working in a government department or those working on government contracts.

According to the BCS, the scheme will offer three levels of certification for practitioners, senior practitioners and lead practitioners. It will cover six information assurance roles identified by CESG: security and information risk advisor, security architect, accreditor, information assurance auditor, IT security officer, and communications security officer.

The contract to deliver the scheme was awarded to the BCS by CESG, the information assurance agency of GCHQ and the UK’s national technical authority for information assurance.

David Clarke, chief executive officer at the BCS, said: “Having won the contract in September, we’re now starting a pilot stage to ensure that our processes allow information assurance specialists to achieve the grade of certification they need to work on government projects.”

He invited anyone interested in scheme to register their interest so they can receive information when it opens fully next year.

This article was originally published at Guardian Government Computing.

Guardian Government Computing is a business division of Guardian Professional, and covers the latest news and analysis of public sector technology. For updates on public sector IT, join the Government Computing Network here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/11/bcs_assurance_pilot/

Anti-spyware company Lavasoft AB is now owned by a set of online entrepreneurs who have been linked with misleading websites.

The Montreal-based entrepreneurs, who purchased the company’s assets in January, have previously been accused of selling the free versions of Lavasoft products to unwitting internet users as recently as 2007 via cyber-squatting sites.

Lavasoft, originally based in Sweden, was purchased by an investment fund called Solaria in January, but no other holdings can be found for Solaria. In fact, the only ties that Solaria has are to the founders of Upclick, an affiliate marketing company. The founders of this company have also founded companies that sold online porn, reskinned peer-to-peer filesharing software, and allegedly “skimmed” online sales, charging customers for software that they did not order.

Solaria bought Lavasoft on 18 January 2011. Its listing in Businessweek reveals that it began operating as a subsidiary of Lulu Software after the acquisition, and is now also known as LVS Software. Lulu Software is registered as 7270356 Canada Inc in Montreal (4-page PDF/163KB).

Its major shareholder is a corporation called 7104189 Canada (1-page PDF/191KB), whose directors are Charles Dadoun and Daniel Assouline – also the directors of affiliate marketing company Upclick.

Shortly after the acquisition, other evidence of links between Lavasoft and UpClick began to surface. Calin Ioan Udrea, the former director of marketing for UpClick, relisted himself on LinkedIn as the director of marketing for Lavasoft in February.

Bad boys done good?

Dadoun and Assouline have a long history when it comes to internet marketing. They are also the men behind Interactive Brands, an affiliate marketing firm listed as the registrant of multiple domains linked to fraudulent activity, including spyware, and fake geneology sites. Interactive Brands was selling Lavasoft’s Ad-Aware in 2007 using a variety of domains, including adaware-ib.com. This domain was listed in a Rip-off Report complaint by a customer who found the site in a web search, purchased Ad-Aware through it, and who said that he was charged for extra software that he did not ask for.

Interactive Brands also operated sites that drew attention from legitimate players in other markets. One was searchyourgeneology.com, which was reported by legitimate geneology site Ancestry.com in 2008. Ancestry.com said, in a 2008 post: “Potential customers are lured to purchase under what we feel to be false, misleading and deceitful promotional material, and get little or no value out of money spent at the websites. Blog and message board posts from the community confirm this opinion.”

Lulu Software’s current CEO, Eric Gareau, lists himself on his LinkedIn page as the president of Interactive Brands from 2006 until 2010, providing a further link between Lulu Software and Dadoun and Assouline.

At least one of the websites operated by Interactive Brands and selling Ad-Aware was registered to Steve Dimech, who is listed as a board member of LVS Software (2-page PDF/62.1KB).

Ad-aware2007.com, which was selling Ad-Aware to customers in 2007, was at the time registered to Dimech.

Assouline and Dadoun also operated an ecommerce credit card processing company called Market Engines, based in Montreal. The company operated a panoply of websites, such as Download-It-Free.com, FreeMP3Lover.com, Mp3MusicAccess.com and eMuleCenter.com. Market Engines operated a call centre to help sell users reskinned software that was available to users for free elsewhere. The company justified it at the time by claiming that the money charged was for “technical support”.

Market Engines claimed to be owned by Malta-based MP3 Networks, which also had offices in the Caribbean, and which was set up in July 2004, five months before Market Engines started business. The director of MP3 Networks was Charles Assouline, now also listed as a board member for LVS Software AB, Lavasoft’s registered company name.

Sites operated by Dadoun and Assouline’s companies have recently been listed as “high risk” by URL-scanning services including McAfee’s SiteAdvisor. Netspyprotector.com is listed on the reputation analysis site MalwareURL as a site offering access to rogue software. Although the Netprotector domain is now privately registered, its contact page still shows it as belonging to MP3 Networks Ltd at its Caribbean address.

Both of these domains are hosted at 63.243.188.110. Other domains hosted at this IP include error-doctors.com, which McAfee calls a high-risk, malicious site, due to marketing/merchandising practices. This is registered at 48/4 Amery Street, Sliema SLM 1701, which is the same address now listed as a contact address for Lavasoft in Malta, following the Solaria acquisition.

Others registered to Market Engines at Maltese addresses – hosted at the same IP address – and receiving suspicious site ratings, include myxptools.com (WOT rating, McAfee rating), thenuker.com (WOT, McAfee), and easy-antivirus.com (WOT, McAfee).

The technical contact for all these sites is listed as another Dadoun – Stephane – with an Upclick.com email address. Stephane Dadoun is listed on Linkedin as IT director at Upclick.

The 63.243.188.110 address is in a block owned by a hosting firm called Rack Engines. Rackengines.com is also registered to Market Engines at the Maltese address. Its ARIN records show David Dadoun as a contact.

Next page: Follow the money…

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/11/lavasoft_has_new_owners/

Hamburg’s data protection authority has reportedly given up continuing its dialogue with Facebook and is preparing to sue the company over its use of facial recognition technology.

That might be tricky for the agency, however, given that the long-awaited overhaul to 1995’s European data protection law has been delayed until early next year.

As European Commissioner Viviane Reding told this reporter in June, the data protection directive was supposed to arrive this autumn.

In the meantime, Facebook – on a European level – isn’t currently breaching data protection law when it makes stealth tweaks to its technology without first informing its users of the change.

The directive should help address that loophole.

“You cannot hide anymore by saying ‘my server is in Honolulu and my other server is in Kiev and…’ I don’t care,” the commissioner told us in the summer.

“The law is for everyone who does business on the territory of Europe, whatever the origin of the business might be. So you cannot hide anymore by saying ‘I do not have my headquarters in Europe’.”

Clearly, the Hamburg DPA has lost its patience with the dominant social network, hence the threat to sue the company.

“Facebook has introduced this [facial recognition] feature in Europe, without informing the user and without obtaining the required consent. Unequivocal consent of the parties is required by both European and national data protection law,” said the DPA, courtesy of a translation from Deutsche Welle.

Reding might want to point out to the Hamburg DPA that its statement is slightly premature.

Facebook’s German spokeswoman Tina Kulow gave the The Register this statement:

“We believe that any legal action is completely unnecessary. Tag Suggest feature on Facebook is fully compliant with EU data protection laws. On top of that we have given comprehensive notice and education to our users about Tag Suggest and we provide very simple tools for people to opt out if they do not want to use this feature,” she said.

“We have considered carefully different options for making people even more aware of our privacy policies and are disappointed that the Hamburg DPA has not accepted these.”

There’s also the question of whether the 27-bloc states that make up the EU will respond positively to Reding’s “Right to be forgotten” pledge that is loaded into the data protection law directive.

If the recent apathetic reaction of the Eurozone to Brussels’ cookie privacy law in May this year is anything to go by, then Reding could yet have a tough time on her hands convincing individual countries to transpose the DP directive into national legislation. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/11/facebook_facial_recognition_tech_hamburg/

Facebook appears to be close to a settlement with the Federal Trade Commission over complaints of users’ privacy being abused by the social networking giant.

According to two people familiar with the negotiations, Facebook is offering to submit to annual privacy monitoring for the next 20 years. It may also give a commitment not to share comments made in private conversations on the site with third parties, the New York Times reports.

Facebook faces an investigation from the FTC after complaints in 2009 from the Electronic Privacy Information Center and others. The firm is also under investigation from the Canadian authorities for similar issues, and the ongoing investigations forced Facebook to beef up its legal team to cope.

“This is part of the balancing act Facebook has to do,” said Jeff Chester, executive director of the Center for Digital Democracy. “It also needs to settle the privacy complaints in the United States and Europe before its IPO. The real test of the F.T.C.’s Facebook deal will be whether a user actually has control over their own information, or will this be a tiny digital bump on the road that does nothing to derail Mark Zuckerberg’s voracious appetite to swallow up our data.”

A decision from the FTC on the suitability of Facebook’s proposed plan is expected within the next week. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/11/facebook_settle_ftc_privacy/

Apple has patched a serious bug in iPhones and iPads that allowed attackers to embed secret payloads in iTunes App Store offerings that were never approved during the official submission process.

Charlie Miller, who is principal research consultant at security firm Accuvant, was kicked out of the iOS developer program on Tuesday after demonstrating the danger posed by the weakness. The InstaStock title that he wrote and was accepted into the app store in September billed itself as nothing more than a program to track the share prices of publicly traded companies. But behind the scenes, it bypassed protections built into iOS devices that prevent code from running on them, unless it’s signed by Apple’s official cryptographic seal.

As a result, InstaStock allowed Miller, who is the other coauthor of The Mac Hacker’s Handbook, to surreptitiously spy on anyone who installed the app. Just hours after he disclosed the secret functionality – and the bug that made it possible – Apple excommunicated him from the developer program, making him ineligible to test the security of new products before they are released to the public.

On Thursday, about 48 hours after Miller exposed the threat, Apple said it had closed the security hole in iOS 5.0.1.

“A logic error existed in the mmap system call’s checking of valid flag combinations,” the advisory said. “This issue may lead to a bypass of codesigning checks.” The threat had existed since the release of iOS 4.3.

Code signing represents a significant barrier to getting malicious apps on iPhones and iPads that haven’t been jailbroken. It prevents code from running on the devices unless it has been digitally signed by Apple officials, and it also stops developers from modifying the app after the fact. It is perhaps the single biggest security distinction between iOS and Google’s rival Android operating system.

Miller was able to circumvent code signing after he discovered an exception that was introduced in iOS 4.3 that, for the first time, created a small region in iPhones and iPads where unsigned code downloaded from the internet could be executed. The exception was designed to improve the performance of Safari by allowing it to do just-in-time compiling.

Thursday’s iOS update also includes fixes for at least four other security threats, including a flaw that allowed locked iPad 2 devices to be opened without entering a passcode. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/10/apple_iphone_security_bug/

Lockheed Martin has added a cyber-security centre in Canberra to an international network of labs that includes facilities in the US and UK.

Its NextGen Cyber Innovation and Technology Centre (NCITE) is now under construction, and will comprise 900 square meters of floor space. Due for its official opening in March 2012, Lockheed Martin says the facility will eventually employ 200 staff.

A “soft launch” this week was held to coincide with the 2011 Military Communications and Information Conference in Canberra.

The company’s CTO for cybersecurity, Curt Aubley, said: “We will be able to conduct offensive and defensive control testing and wildfire work on the Internet. It is a separate network where we can train offensive versus defensive, so we can rapidly learn in a safe and secure environment.”

The company says the system will run three private clouds and one public cloud, and will be secure to Australia’s “secret” classification level.

According to Defense News, the company is also stringing together a group of partners to form the “Global Innovation Alliance”, with initial members that include the Australian National University’s Edge team, CA, Dell, Glasswall Solutions, HP, McAfee, Quintessence Labs, Schnieder Electric and Taskey.

The NCITE AU facility is in a new building in the Canberra suburb of Kingston. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/10/lockheed_martin_ncite_au/

James Murdoch has once again defended himself against allegations that he knew in 2008 that phone-hacking was more widespread than one “rogue reporter” at the company’s now-closed Sunday tabloid News of the World.

The News International chairman told MPs today that he was given “sufficient information” at a 30-minute meeting with ex-NotW editor Colin Myler and NI’s legal manager Tom Crone in June of that year to “authorise the increase of the settlement offers” made to phone-hacking victim Gordon Taylor.

Former Professional Footballers’ Association boss, Taylor, filed a damages claim against the newspaper, which was sensationally shut down by News International – the sister company of Rupert Murdoch’s News Corp – in July this year.

Taylor eventually received £425,000, though he had sought a settlement payment of £1m from the company.

Murdoch looked assured as he faced the Culture, media and Sport select committee for a second time today, after he and his father were grilled in Westminster four months ago.

The younger Murdoch claimed that Crone had “misled” Parliament at an earlier session, when the ex-legal boss had alleged that the chairman had been privy to an email with the subject line “for Neville” that contained a transcript of illegally intercepted voicemail messages around the time he authorised the payment to Taylor.

The “importance” of the email demonstrated that another reporter working at the NotW was named, Murdoch said.

But it “was not described to me in detail or at all,” he claimed.

“It was not described as the ‘For Neville’ email, and I want to be very clear. No documents were shown to me at that meeting or were given to me at that meeting.”

Murdoch added that he was unable to recall any conversation with Myler prior to 10 June 2008, when he authorised the settlement payment to Taylor.

NI’s ex-lawyers Farrer Co released documents last week to the culture committee that appeared to suggest a discussion between the two men had taken place on 27 May 2008.

“The first and only substantive meeting or conversation that I recall about the matter was the June 10 meeting with Mr Crone and Mr Myler, although I cannot rule out whether or not he [Crone] called me or stopped me in the hallway, or something like that, for a brief conversation,” Murdoch said.

“There is a lot of supposition in their [Crone and Myler] testimony,” said Murdoch, when asked by MPs which party was telling the truth about what happened in the summer of 2008.

He admitted that: “At various times, and I am sorry for this, the company moved into an aggressive defence too quickly.”

But the would-be heir to Rupert Murdoch’s throne refused to accept that he had misled MPs at any point over the scandalous phone-hacking affair that has rocked News Corp. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/10/james_murdoch_phone_hacking_myler_crone/