STE WILLIAMS

Has your account been pwned? New website will tell you

Security researchers have set up a website that allows punters to check whether or not their email addresses have appeared in data dumps slurped from compromised databases.

Hacking attacks on sites including Gawker and the network of Sony’s gaming division have led on to the publication of hundreds of thousands of users’ credentials online, sometimes (but not always) by activists at Anonymous.

That’s bad enough in itself but is even worse for users use the same login details for all their online activity – from email to online banking. Compromised firms normally make some effort to notify affected customers but this does not always happen.

A new site – called Pwnedlist.com – aims to plug this information gap. Users enter a username or email address into the site’s search box to find out if their username has appeared in any recent public data dumps. Users are not prompted to enter their password itself.

If a username or email address appears on the list, users are advised not to panic and to simply change their passwords. There’s also sensible advice of offer on password security even if credentials are not on the list.

The service includes five million records and was established by Alen Puzic and Jasiel Spelman, security researchers from DVLabs – a division of HP TippingPoint.

“Data entered is not stored, re-used, or given to any third parties,” the terms and conditions of the site explain. Tech savvy users can submit a SHA-512 hash of their email address or username as input instead of the plaintext version.

Puzic and Spelman explain the pwnedlist project, and how they would like to develop it, in an interview with KrebsOnSecurity.com here.

Pwnedlist.com is nicely done and serves a useful purpose, for example, in cases where net users needed proof that their online identity has been compromised.

However any similar services that crop up might not be so well done: encouraging users to hand over even part of their logins credentials to supposed security checking sites is not necessarily good thing, Carole Theriault of Sophos notes.

“These types of service could also raises a concern: what is to stop a malicious site, masquerading as a helping hand, request usernames (or even passwords) from internet users? Indeed, we have seen many nasty sites pretend to be legitimate or reputable over the years,” Theriault writes.

Theriault concludes that if users even think their logins might have been compromised they ought to change their credentials, whether or not they are able to confirm that they have indeed been pwned. She concludes with some password tips of her own in a blog post here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/03/pwnedlist/

Apple requires Mac App Store candidates to be sandboxed

Developers submitting applications to Apple’s Mac App Store will soon be required to add an extra layer of security for their wares to be accepted.

Beginning in March, all apps submitted must implement sandboxing, a protection that tightly restricts the way applications can interact with other parts of the operating system. By isolating the app from sensitive OS resources, sandboxing minimizes the damage that can be done when vulnerabilities are exploited. It was significantly improved with this year’s release of OS X Lion.

“The vast majority of Mac users have been free from malware and we’re working on technologies to help keep it that way,” a blurb on Apple’s developer news page stated. “As of March 1, 2012 all apps submitted to the Mac App Store must implement sandboxing.”

The move comes as the quality and quantity of malware targeting Macs has steadily risen over the past year. The recently discovered DevilRobber.A trojan, for instance, commandeers a Mac’s graphics card to coin the digital currency known as Bitcoin, and OSX/Revir.A can install itself even without explicit user permission, bypassing a protection that has long brought comfort to many Mac fans.

Recent changes to the Flashback trojan prevent the malware from running on virtual machines, a stealth technique adopted years ago by Windows malware developers.

The new sandboxing requirement was quickly applauded by many security researchers, but the reaction among Mac developers was decidedly more mixed. According to The Unofficial Apple Weblog, Apple’s sandboxing approach has the potential to interfere with some functions, particularly those involving AppleScript and the programming interface known as Carbon.

“For 99.44% of the applications out there, sandboxing is a workable technology, whose adoption curve is relatively flat and low-friction, and whose users won’t notice any functional difference,” Rich Siegel, founder and CEO of the Mac development house Bare Bones Software, said in an email. “Applications whose functional scope is in that last 0.56% will require solutions that take into account the notion of ‘implicit user intent,’ which to date hasn’t been adequately addressed by the sandboxing model as currently presented.”

Siegel’s percentages are figurative and not intended to be taken literally.

The contrasting reactions highlights the longstanding conflict between the security and functionality of software. More often than not, when one is increased, the other suffers.

Ultimately, the new Apple mandate is a good thing. An analysis from last year showed that some of the most popular Windows applications, including Java, Apple Quicktime, and OpenOffice.org, failed to implement security protections that had been available for years in the Microsoft OS. What’s more, the report found that the Mozilla Firefox, Chrome, and Opera browsers applied the mitigations inconsistently.

Clearly, the build-it-and-they-will-come approach doesn’t always work when OS developers bake important protections into their systems. Apple’s mandate may be painful for some developers, but if it protects end users, it will be worth the hardship. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/03/mac_app_store_sandbox/

Cyberattack Blighty and we’ll use ‘military means’

LCC Any British response to a foreign state’s cyberattack would be proportionate, a Foreign Office official told The Register yesterday.

On Monday, UK Prime Minister David Cameron told the London Conference on Cyberspace (LCC) that threats of electronic attacks were “a real and pressing concern” for the country.

“This summer a significant attempt on the Foreign Office system was foiled. These are attacks on our national interest. They are unacceptable. And we will respond to them as robustly as we do any other national security threat,” Dave said.

John Duncan, the FCO’s special representative for the conference, told El Reg that the nation’s response, military or otherwise, to cyberattacks was under constant review.

“The UK has just revised its nuclear declaratory policy, that is a reflection of the way the world is changing,” he said.

“As we look at the response to an attack through cyberspace, you can be quite sure that the government will keep this very closely under review to ensure that we respect the obligation to act proportionately – which is the fundamental principle of armed force. That’s a really key point in understanding what the Prime Minister is saying,” he added.

Duncan said that a major problem in dealing with international hacking attempts was working out where attacks are coming from.

“If one country launches an attack on another country using proxies – be they proxies in the original sense, meaning agents of that country, or proxy servers in the cyberspace world – we have to judge whether that is actually coming from a country,” he said. “And the first step is the diplomatic means and then the military means, as it has always been. We have to stand ready to respond in kind, because we’re very vulnerable, we’re all very vulnerable.”

Rise of the gangster-hacker

In other cases the attack may be coming from within a country, but enacted by criminal gangs or groups of terrorists, another possibility the government has to investigate.

“We no longer have the certainties of the Cold War,” Duncan said. “It’s very difficult to identify what the threat is and therefore it’s very difficult to train against the threat and to budget for the threat.

“It’s the non-state actor and the proxy actor that is the more dangerous threat to us today and it’s more difficult to prepare for because you don’t know where it’s coming from,” he added, acknowledging that it was the same in the real world.

Some would suggest that a weapon governments would like to have in their arsenal to deal with online issues is the ability to constrict social networks, something that has come up during the conference while both the Foreign Secretary William Hague and the Prime Minister have insisted that the UK supports an open and free internet.

After the summer riots, the government considered a move against the websites and services used by looters to communicate and organise raids.

“If you see something that’s a threat on one side of the cyberspace architecture, you have to be really careful in understanding that if you take action against it, it doesn’t damage the other parts of the architecture that you are trying to promote,” Duncan said. “And the British government did understand that.”

“There was a reaction of ‘What’s happening here, we need to have a look at it’, and the conclusion was we should not do anything to constrain Facebook and BlackBerry and all those things because it would damage other things we are trying to do,” he added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/03/uk_cyberattack_response/

Hague refuses to name nations which cyberattack Britain

LCC The London Conference on Cyberspace wasn’t a forum for outing the states that had launched cyberattacks in the UK, the Foreign Secretary said yesterday.

One of William Hague’s “messages” from the conference, outlined in his closing remarks, was that “state-sponsored attacks are not in the interests of any country long-term, and those governments that perpetrate them need to bring them under control”.

The statement was rather weak when compared with the Prime Minister’s promise in his speech on Monday that the UK would respond “robustly” to any cyberattack.

When challenged on why Britain hasn’t done more about the state-sponsored attacks that have already happened, Hague told reporters that they were going about this issue in a diplomatic way.

“We have not been having a judgemental conference. I don’t think you can simultaneously hold a conference of this kind, drawing governments into the discussion and then doing the equivalent of pointing the finger at them all saying ‘You are guilty men’,” he said.

He also said that people made a lot of assumptions about who was behind state attacks and they weren’t always right.

However he added that he expected the government would have “vigorous and private discussions about these things” in the future.

The conference has also come under some criticism for apparently stirring the brewing trouble between Western countries and China and Russia over the issue of internet regulations.

William Hague acknowledged that the UK and US message from the conference that the internet shouldn’t be subject to strong state control was in some conflict with China and Russia’s call for a code of conduct online, but said he hadn’t expected to solve that conflict in the last two days.

“There’s a difference between Britain, the US and European societies on the one hand and China and Russia, of course. There’s different attitudes to freedom of expression, offline as well as online,” he told reporters, adding that he didn’t expect to “square” those differences right now.

However, he reiterated the British government’s stance that there should be freedom of expression and openness online and said states that hoped to curb their citizens on the web were likely to be disappointed.

“In the long term, efforts to resist the free flow of information, the tide that’s going towards greater transparency and accountability, will fail,” he said.

A statement on the findings of the conference can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/03/cyber_attack_states/

Smart meters: Nothing can possibly go wrong, says gov

A UK government minister has reassured Parliament that upcoming deployments of smart meters will be secure.

The assurances by junior energy minister Charles Hendry follow admissions by a senior civil servant at a House of Commons Public Accounts committee on Monday that the government’s £12bn plan to roll out smart energy meters in the UK by 2019 might yet be shelved, depending on the outcome of a review next year. The review will focus on the business case for the deployment of smart meters but security concerns also exist.

Last year Ross Anderson, professor in security engineering at the University of Cambridge Computer Laboratory, warned that smart metering would introduce a “strategic vulnerability” that might be exploited by hackers to remotely switch off elements on the gas or electricity supply grid. Software errors introduced during an update also pose a risk.

Security researchers at IOActive previously highlighted (PDF) flaws in poor authentication, lack of encryption and inadequate authorisation in smart meter rollouts during a research project that looked at rollouts in the US and Europe.

Asked about these security concerns, and in particular fears that smart meter systems may not have been properly secured against hacking by third parties, Charles Hendry, minister of State for the Department of Energy and Climate Change, told Parliament on Wednesday that a comprehensive risk assessment programme would accompany the deployment of the technology.

The government are putting robust arrangements in place for the security of the smart metering system, which have been informed by a rigorous risk assessment. DECC has a dedicated team of security experts within the Smart Metering Implementation Programme, who perform ongoing risk assessments in order to identify the nature of possible threats, including hacking by third parties.

Security requirements are being developed to minimise: (i) the likelihood of such an event taking place, and (ii) the impact should it occur. The development of these requirements has involved extensive consultation with other government departments and relevant agencies, as well as with industry.

We have a comprehensive risk assessment and we are developing a plan for implementation, which will specify the enduring security governance roles and responsibilities to ensure risks are appropriately managed.

Smart meters introduce two-way communication between a meter and the central system of a utility absent from older analogue meters. The devices feature sensors, so they can monitor and report on the quality of gas and electricity supply, as well as how many units are consumed for billing purposes.

Utilities want to deploy smart meters because the technology will simplify the process of collecting meter reading and controlling supply at times of high demand. The kit also makes it easier to switch subscribers to higher tariffs in cases where they fail to pay their bill on time.

But for consumers the rollout of an estimated 47 million smart meters to the UK’s 26 million homes is likely to cost £6 per annum per household at a time when energy prices are already rising at record rates, a trend that shows no signs of turning around anytime soon. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/03/smart_meter_security/

Gadget ‘bouncers’ hired to patrol biz clouds

Security appliance firms are using the big industry push towards cloud services, and the trend of allowing staff to bring their own devices into work, to sell technology that attempts to fix the resulting security mess.

ForeScout Technologies launched a scheme to sell its CounterACT Network Access Control (NAC) technology as a cloud platform to hosted and managed service providers (MSPs) on Tuesday. The firm already plays in hosted but MSPs will be a new string in its bow.

The move coincides with the release by Bradford Networks, a competitor to ForeScout, of an app that enables secure network access for trusted iPads, iPhones and other Apple devices. The app is a feature of the latest version of Bradford’s Network Sentry, version 5.3, which will be generally available this month.

Network Access Control (NAC) technology can be compared to nightclub bouncers. Instead of saying that you can’t get in a club with jeans, NAC tech stops laptops accessing a network unless they are fully patched and running up to date anti-virus, for example, an approach that guards against cross-contamination of computer worms. NAC tech can also restrict what areas of a network a guest device (smartphones, mobile, tablet etc) can access, much like bouncers who block access to the VIP area of a club (for VIP area read customer database, accounts etc.)

ForeScout and Bradford Networks compete in the network access control (NAC) and policy compliance market with products and services from the likes of Cisco, Juniper and McAfee.

NAC technology attempts to solve various problems including policy enforcement and access management that other bits of security tech also attempt to tackle. Perhaps because of this confusion the technology, first talked about seven or eight years ago, is still in the early adopter phase. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/03/nac/

Facebook denies silent stalking of punters (again)

Facebook has once again been forced to defend its use of cookies after a German watchdog said it was “suspicious” that the dominant social network was creating tracking profiles of its users without seeking their consent to do so.

The company denied it was slurping such data from its stalkerbase as claimed by the Hamburg data protection authority (DPA).

“Facebook does not track users across the web,” it said in a statement. “Instead, we use cookies on social plugins to personalise content (e.g. Show you what your friends liked), to help maintain and improve what we do (e.g. Measure click-through rate), or for safety and security (e.g. Keeping underage kids from trying to signup with a different age).

“No information we receive when you see a social plugins is used to target ads, we delete or anonymise this information within 90 days, and we never sell your information.”

On the thorny topic of logged-out cookies, Facebook said it deleted the files when a user signed out of the site.

“We do not receive personally identifiable cookie information when logged-out users browse the web,” the firm said.

The Hamburg DPA has previously warned Facebook that it would be fined by the watchdog if the company failed to delete the “biometric data” it harvested from its facial recognition tech.

The Register understands that Facebook has offered to provide the DPA with a technical explanation of how it uses cookies. For its part, the company considers any conclusion reached by the Hamburg watchdog before proper consultation with Facebook to be “incomplete”. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/03/facebook_cookies_data/

Google and co join gov’s identity marketplace

Google is among 26 companies that have signed up to the government’s latest effort to create a British business sector out of the handling of private data and an individual’s online identity.

data_eye_midata_logo

The logo depicts the comforting eye of

Sauron midata…

UK.gov prefers to cast this agenda as part of its push to make the government and private companies more transparent about the information they hold on taxpayers and consumers.

The Business, Innovation and Skills department launched “midata”, which is based on a voluntary partnership, today and said that consumers in Blighty would soon be able to access information held by the likes of British Gas, MasterCard and Google via online “personal data inventories” (PDIs).

According to BIS, companies that sign up to midata would benefit from more information being shared by consumers.

“As customers get used to updating and managing preferences and permissions, they are more likely to opt in rather than out of marketing communications,” said the department in a document outlining the “potential benefits” to business.

BIS claimed that consumers would be “empowered” by such data sharing online.

But the agenda also feeds heavily into the Cabinet Office’s plan to offload identity-handling onto the private sector.

“Under the government’s proposed ID assurance scheme, a market for providers of identity services will be created. Individuals will be able to take these ‘tokens of identity’ with them from organisation to organisation,” said BIS.

“The same approach can be extended to other tokens of verification, for example that this person ‘has this credit score’, or ‘is entitled to these benefits’. These tokens can reduce risk and streamline sales processes.”

Unsurprisingly, the government – anxious not to see a backlash from privacy advocates accusing it of mounting its own infant ID card system, sans the card – reasserted that it won’t have a huge data repository in Whitehall that holds all of this information.

“Midata will not create any central databases or data portals,” said BIS.

“Any data that companies pass back to customers will passed to individuals and no one else. The government won’t see or have access to any of the data that is released. Releasing data back to individuals is a matter for companies and their customers alone.”

It will make the first PDIs available in 2012.

“Consumer data is an incredibly valuable commodity and the amount of data kept and used is set to grow as people increasingly use online and digital services,” said watchdog Consumer Focus.

“This data should not just benefit the businesses and services who collect it. Midata is an important initiative that could help people retrieve and reuse their own personal data for their own benefit.

‘”But there is also the risk of serious consumer detriment if data is lost, leaked, misused or stolen. Protecting consumer data will be the pass or fail criteria for this initiative.”

Meanwhile, Information Commissioner Christopher Graham said he hoped the new scheme would operate within the current law.

“It goes without saying that privacy and data security principles must continue to be upheld and I’m pleased that consumer data security has been a key strand from the outset,” he said.

“I look forward to continuing to work with the government and businesses to ensure the scheme complies with the Data Protection Act.”

As we revealed yesterday, the government’s £10m-and-counting ID assurance scheme will almost certainly be subjected to primary legislation. But it remains to be seen whether such a new law, if passed in Parliament, would include provisions for the Midata marketplace now in play. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/03/bis_midata_id_assurance/

Want to avoid all private-data breaches, ever? Here’s how

Interview As information and privacy commissioner of Ontario, Ann Cavoukian’s jurisdiction is limited to the Canadian province. But that doesn’t mean the effects of her post don’t extend into territories across the globe.

“What I always say is privacy transcends jurisdiction,” she says. “It knows no boundaries. So if I’m going to protect the privacy of people in my jurisdiction, I’m going to protect privacy everywhere. Everyone is using Google, Facebook. How do you ensure that the information you give to these people or collect from them is safe anywhere? So to me, privacy is a global issue.”

Indeed, the Privacy by Design initiative she spearheaded has become an internationally recognized recipe for embedding privacy protections into the very fabric of a website or product.

Photo of Ann Cavoukian

Ontario Information and Privacy Commissioner Ann Cavoukian

She put those design principles to the test a few years ago when the Ontario Lottery and Gaming Corporation began using facial recognition technology in casinos to spot people who identified themselves as gambling addicts. To prevent police, Casino employees, or others from accessing the database and using the contents for unauthorized purposes, the system adopted what’s known as biometric encryption.

Developed by researchers from the University of Toronto, biometric encryption binds a random key with the biometric data to create a private template that’s unique and can’t be cross-matched with other databases. The key can be retrieved only when a fresh biometric sample from one of the problem gamblers is presented, making it hard for the data to be tapped for other purposes.

El Reg recently caught up with Commissioner Cavoukian at the Web 2.0 Summit in San Francisco.

The Register:Tell us more about Privacy by Design.

Cavoukian: My message through Privacy by Design is try to prevent the harm from arising to begin with. It’s a preventative approach. It’s proactive, it’s holistic. Don’t wait for the privacy harm to arise and then you, the business, have to assume the regulatory burden of compliance with the legislation and the ramifications of that breach in terms of loss to your business, to your brand, and the cost of lawsuits.

So that’s what Privacy by Design is. It’s coming before the privacy harm has arisen. And if you can do that as a business, and we’ll tell you how to do it, then you can gain a sustainable competitive advantage. There’s a significant payoff to be had by protecting privacy.

Do you find by mandating that certain protections or practices are followed in your province, it ultimately means those practices are going to be followed universally?

It’s not a definite, but this one I can say absolutely. I put forth a resolution on Privacy by Design to make it an international standard, and it was unanimously passed [at the International Data Protection and Privacy Commissioners Conference last year in Jerusalem]. What that means is Privacy by Design, this proactive framework, is now being adopted globally, in all jurisdictions, including here in the United States.

[The US Federal Trade Commission adopted Privacy by Design in December.]

So it is an international framework now for privacy protection, and people, regulators, everyone is saying if you can do this Privacy by Design thing you’re way better because you prevent so much of the burden that arises after a privacy harm takes place.

Next page: ‘Positive sum model’

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/03/privacy_commissioner_speaks/

Beijing to get free Wi-Fi with obvious strings attached

Over the next five years Beijing will get 480,000 free Wi-Fi hotspots, but using them will require a mobile number and an agreement to have your activities tracked and monitored.

The network is being put together by China Mobile, China Unicom and China Telecom, and will be free to use for least the next three years. However, access will require one to hand over your mobe’s number, which can be used to “trace those whose online activity might endanger social security”, China.org was told.

The Beijing network could well be the largest municipal Wi-Fi network in the world, with 90,000 hotpots to be live by the end of 2011 and another 390,000 being connected over the next five years. But by the time it’s finished time users might be expected to pay for access as well as being tracked at every turn, as free access is only being offered until the tail end of 2014.

Not that locals seems worried about government snooping: internet usage is already notoriously restricted in China. The real concern is that creating a link between a mobile phone number and a web browsing history (plus a physical location) will open the door to even more mobile spam.

The Chinese are bombarded with advertising pushed to their handsets, and some argue that a few more ads won’t make a significant difference. The state’s officials are saying the data won’t be sold off to private companies, but Beijing residents don’t seem to be as trusting as the wonks might hope. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/03/china_free_wifi/