STE WILLIAMS

Consumers continue to be complacent about identity theft despite growth of the crime, which has claimed four million victims in the UK alone.

The warning from the Metropolitan Police Service comes at the start of National Identity Fraud Prevention Week, which begins today. The seventh edition of the annual event aims to educate people and businesses about the scope of identity theft and its prevention.

According to research commissioned by paper-shredding kit supplier Fellowes, 7 per cent of the UK population (4 million people) have been victims of identity fraud at one time or another. According to the UK’s fraud prevention service CIFAS, 80,000 have been targeted this year. The average cost of an identity theft is £1,190, but some individuals have been stung to the tune of £9,000.

Operation Sterling – the Met’s anti-fraud squad – is targeting students in particular in this year’s round of awareness training, visiting university fresher weeks and running a conference in London on Wednesday for professionals working with students. The conference will discuss credit card crime and online fraud, among other topics.

The Met has drawn together a list of top tips for preventing identity fraud.

• Check for unfamiliar transactions on bank statements.
• Shred all documents containing sensitive information using a cross cut shredder before throwing them away – something Tory policy chief Oliver Letwin should bear in mind.
• Investigate mail that goes missing.
• Carry out regular personal credit report checks./li
• Redirect post for at least six months when moving house.
• Limit the amount of personal information shared when using social networking sites.

Jamey Johnson, head of Action Fraud, the national fraud reporting and advice centre, said: “Stealing an identity is just the beginning for a fraudster. With few details, accounts can be taken over, loans can be applied for and purchases can be made, all without the consent or knowledge of the individual, potentially costing the victim substantial sums of money. Last month alone (September) Action Fraud saw over £245,000 worth of loss due to identity theft. The worrying part is that this figure was generated from a limited amount of reports, suggesting the amount lost to ID theft would be much higher if more people were reporting.”

Johnson added: “It is important to report a loss to Action Fraud, but it is more important to protect yourself from it happening in the first place. Limiting access to your personal information is the key to safety from ID fraud,” she added.

More tips and advice on how to prevent identity fraud can be found on the campaign’s website, www.stop-idfraud.co.uk, which contains advice aimed at consumers as well as a business guide. This week’s National Identity Fraud Prevention Week campaign is sponsored by the Met Police, City of London Police, the National Fraud Authority, Equifax, CIFAS (the UK’s Fraud Prevention Service), e-Crime Scotland, the Home Office and the Royal Mail, among others. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/17/national_id_fraud_prevention_week/

An infection that causes poorly configured websites to silently bombard visitors with malware attacks has hit almost 614,000 webpages, Google searches show.

The mass infection, which redirects users to a site exploiting old versions of Oracle’s Java, Adobe’s Flash player and various browsers, was first disclosed by researchers from Armorize on Wednesday. At the time, it appeared to affect about 180,000 pages. By time of writing on Friday, the initial attack and a follow-on exploit has spread to 613,890 combined pages. The SQL injection attack mostly exploits websites running Microsoft’s ASP.Net web application framework.

The infection injects code into websites operated by restaurants, hospitals, and other small businesses and plants an invisible link in visitors’ browsers to sites including jjghui.com and nbnjkl.com. Those sites in turn redirected to several other websites that include highly obfuscated code. At the end of the line is a cocktail of attacks that exploit known vulnerabilities in Java and the other targeted programs. Computers running unpatched versions are then commandeered. Servers in the attack used IP addresses based in the US and Russia.

The decoded script generates an iframe to strongdefenseiz.in, which redirects to safetosecurity.rr.nu

When Armorize researchers submitted the code used in the attack on Wednesday, just six of the top 43 antivirus providers detected the attack, according to this VirusTotal analysis. It’s unknown if that number has improved since then.

The attack is the latest to force hundreds of thousands of vulnerable webpages to turn against their visitors. An attack in August against machines running the open-source osCommerce web application, for example, poisoned a whopping 8.3 million webpages. Websites used in this week’s attack were registered to one James Northone of Plainview, New York, the same registered owner of domains used in the Lizamoon mass-injection attacks in March, which were named after one of the addresses used.

Security firm Securi has additional details about the ongoing attack and a scanner that websites can use to check if they’re infected here and here. Compromised sites trying to recover must remove the infection from their database and audit their code to rid it of SQL-injection bugs. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/14/mass_website_inection_grows/

More details have emerged on how systems ground systems that control US military drones came to be infected by malware.

In a statement issued on Wednesday, the US Air Force said that “standalone systems on Creech Air Force Base, Nevada” had been infected with malware. “Credential stealing” software was discovered in September on portable hard drives and traced back to a standalone mission support network:

The infected computers were part of the ground control system that supports RPA operations. The ground system is separate from the flight control system Air Force pilots use to fly the aircraft remotely; the ability of the RPA pilots to safely fly these aircraft remained secure throughout the incident.

Ground control systems refer to those that control the weapons and surveillance functions of drones, arguably worse than infecting the piloting systems. Air force officials said that the malware, whatever system it infected, posed no threat to the operation of unmanned Reaper drones.

Colonel Kathleen Cook, spokeswoman for Air Force Space Command, said: “The detected and quarantined virus posed no threat to our operational mission and that control of our remotely piloted aircraft was never in question.”

But how did credential stealing malware get on the infected drives in the first place?

The type of malware associated with the outbreak is “routinely used to steal log-in and password data from people who gamble or play games like Mafia Wars online” an anonymous defence official told Associated Press. The official omitted to explain “why drone crews were playing Mafia Wars or similar games during their overseas missions”, noted Noah Shachtman, the journalist who broke the story.

Gaming security expert Chris Boyd, of GFI Software, said that the source must have been talking generally or referring to something targeting Facebook logins if Mafia Wars is actually involved, simply because you play Mafia Wars via your Facebook account. The malware might have been a phishing toolbar (such as this).

“Those toolbars target games such as Mafia Wars, yet they’re attempting to steal Facebook logins through phishing pages,” Boyd told El Reg. Facebook is a popular target for malware, but it’s difficult to be more specific about the malware involved unless more information is released.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/14/drone_remote_cockpit_malware/

Just days before the start of National Identity Fraud Prevention Week on Monday, the Prime Minister’s chief policy advisor Oliver Letwin has been snapped binning what appear to be documents containing personal information in a public park.

The discarded documents are said to include the addresses of Letwin’s constituents in West Dorset, which could expose them to identity fraud. The Information Commissioner’s Office (ICO) confirmed that it will investigate the incident under the Data Protection Act.

Photographs of Letwin binning the paperwork were published by the Mirror, which says it found 100 or more documents ditched in bins in St James’ Park.

It is believed the files included information about the work of the government’s intelligence committee that monitors MI5 and MI6, and reports on the transfer of terrorism suspects and emails about al Qaeda, the Tories’ Big Society and the Dalai Lama. Needless to say, Downing Street has stressed that this is not accordance with their policy on the correct disposal of documents.

However No 10 wonks told the Mirror that the documents were “not sensitive” and explained: “Oliver Letwin does some of his parliamentary and constituency correspondence in the park before going to work and sometimes disposes of copies of letters there. They are not documents of a sensitive nature.”

It’s the allegation concerning information about constituents that could get Letwin in hot water. According to the Mirror, four of the documents dumped contained personal data. That’s the first line of inquiry for the Information Commissioner’s Office.

“At the moment we’re looking at it from a data protection point of view, and at this stage it’s an inquiry rather than an investigation. We’re not looking at the Official Secrets Act,” a spokesman told us.

Identity fraud is a growing concern in the UK: next week the nation will be warned that it is on the rise, with 4 million victims in UK alone. “Yet consumers continue to be complacent with their identities,” a press release for the National Identity Fraud Prevention Week states.

IT security companies have been quick to point out the lessons from the case.

“Paper is the most insecure way to store any document,” notes Mark Darvill, director at security firm AEP Networks.

“Provided rigorous encryption is used with appropriate access control it’s far better for all information to be stored and disseminated electronically so that only the intended user can read it.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/14/ico_letwin/

The poor old corporate endpoint has had a bit of a battering in the last few years. Malware is more widespread and complex than ever and it is easy to get infected simply by visiting legitimate sites that have been hacked.

Now that the internet has become such a dangerous neighbourhood, are malware blacklists enough to keep the nasties out? Or are whitelists a better way to go?

Most anti-malware tools use blacklists. They scan system and application files and compare them against a list of signatures matching known malicious files.

But there are a couple of problems with blacklists. Increasingly sophisticated technology means the number of variants on a particular strain of malware has grown exponentially.

Drive-by download sites will often custom-bake a file with a unique hash for a visitor, making it difficult for anti-malware tools to spot them.

Suspicious behaviour

Catching these files is not impossible, thanks to techniques such as behavioral analysis. Scanning what the file does, rather than simply what it looks like, is a useful way to spot malicious activity.

However, this can generate its own problems. Occasionally, system files can look as though they are doing malicious things when they are simply doing their job. McAfee suffered that problem in April last year – and again in October.

An alternative is whitelisting. If the malware base is growing all the time, then maybe the right question to ask is not what you shouldn’t let in but what you should.

A whitelist contains only the files that you are willing to allow to be installed on your organisation’s computers.

Elusive prey

The disadvantage of a blacklist is that by the time malware is documented and added to a list, it is already out there in the wild. Some organisations will be infected before a blacklist is updated.

With rapidly propagating malware, waiting until a blacklist is updated can be disastrous. But it is also problematic for highly targeted software exploiting zero-day vulnerabilities.

Some of the most effective attacks have been targeted at high-value machines as part of long-term, highly orchestrated “advanced persistent threat” attacks.

A whitelist can be made to be failsafe. If a piece of software tries to install but is not on a whitelist, it can be denied access.

That would seem to provide adequate protection against all malware, albeit at the cost of some inconvenience to the user. The question for the organisation then becomes whether the trade-off is worth it.

Let the right one in

The extent of the inconvenience depends on the size of the organisation’s whitelist and its internal disciplines. A relatively large whitelist has a better chance of allowing through legitimate software.

The National Institute of Science and Technology maintains the National Software Reference Library (NSRL), a collection of hashes for known, legitimate software releases.

The SANS Institute’s Internet Storm Centre has created a list of hashes using the NSRL as a base, adding in a searchable web front end to make it useable as a whitelist.

Lumension also provides a whitelist of application data, collected from sources that include vendors and its customers’ own application scanning processes.

A legitimate file could be compromised and made to perform malicious acts

One potential drawback of a whitelist is that a legitimate file could be compromised and made to perform malicious acts. If there is an inherent vulnerability in the file, it may not even be necessary to change the hash.

The other challenge is keeping a whitelist up to date. How often do you need to update machines, and how often are you ensuring that the whitelist is also updated?

“Whitelists are good if you’re not going to be updating a machine,” says Gunter Ollman, vice-president of research at security firm Damballa, adding that a Windows 7 installation uses hundreds of thousands of files.

“If you’re not patching or putting out automatic updates, then whitelisting can serve as an ideal baseline,” he says.

In reality, of course, we all update our machines, so ensuring that a whitelist is up to date is vital if you are to avoid file problems.

If you can integrate patch management with your whitelist, you can automate those updates to lessen the burden of maintaining a whitelist over time. Trust engines allow you to make decisions based on publisher, file location, updaters and so on. They also facilitate whitelist management.

Ebony and ivory

Using both whitelisting and blacklisting together may create a more effective means of endpoint protection, say experts.

Overlaying a whitelist on a blacklist can provide another layer of verification and help to avoid some of the false positives that occasionally befall blacklists.

The whitelist could also help to filter out some of other, such as “greylisted” applications that are technically legitimate but frowned upon by company policy.

“When the culture of the firm is ‘anything goes’, it’s hard to say turn the taps off,” says Eldon Sprickerhoff, co-founder of security consulting and services firm ESEntire.

Deployment of a whitelist should begin with a profiling phase, he advises.

“We work out what’s going on right now, and then we gradually close down the scary things,” he says.

Deploying a whitelist alongside a malware blacklist could also be a useful rationalisation exercise. By taking a long, hard look at what really needs to be running on PC endpoints, organisations might be able to simplify their application portfolio, freeing up some support and maintenance budget. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/14/network_security/

Norton blocks Facebook as ‘phishing site’

• 
• 
• 
• 

Well, it does collect private info

By John Leyden • Get more from this author

Posted in Security, 14th October 2011 12:15 GMT

Free whitepaper – Schlumberger uses IBM BNT RackSwitch for HPC

Symantec has withdrawn an update to its Norton consumer security software that branded Facebook a phishing site on Wednesday.

The snafu meant that users of Norton Internet Security were blocked from accessing the social networking site and were told a “fraudulent web page” had been blocked, as illustrated in a discussion thread on Symantec’s support forums here.

While wags might joke that Facebook is all about persuading punters to supply personal information to a website that ought not to be trusted, it’s a bit of a stretch to even compare Zuckerberg’s Reservation to a fraudulent banking site. Symantec responded to the problem within hours. From the looks of support forum postings affected users were left dazed and confused rather than seriously inconvenienced or aggrieved by the screw-up.

Security firms update their signature definition files to detect either rogue applications or questionable websites at increasing frequency in order to keep up with malware production rates. Plenty of effort is put into the quality assurance process across the industry but even so mistakes sometimes occur. False positives are a cross-industry problem that affects all vendors. ®

Free whitepaper – Smarter Networking for a smarter data centre

• 5 commentsPost a comment

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/14/norton_blocks_facebook/

RSA Europe Sir Tim Berners-Lee surprised assembled hacks when he turned up to a press roundtable at the RSA conference on Thursday with an iPhone.

Berners-Lee notable singled out Steve Jobs’ iTunes for criticism over its use of proprietary technologies a year ago, but he was happy to use the Jesus Phone despite these reservations. The Reg understands he also owns an Android smartphone.

During a question-and-answer session with journalists, Berners-Lee was asked about recent suggestions by WIPO boss Francis Gurry that the internet would have enjoyed better investment if the web had been patented.

If web users had been obliged to pay a licence fee (via a “flexible licensing model”) then more money would have been available for investment in the internet and basic research, Gurry argued at the launch of the Global Innovation Index back in June.

Berners-Lee was dismissive of the idea: “It’s the most uninformed and unimaginative idea I’ve heard in a long time.”

The web succeeded where Gopher, which romped across networks in the early 1990s, withered and died, because of the possibility that a small charge might be applied for use of Gopher.

“CERN choose not to charge royalties for the web and it’s only because it was that open then we’ve seen incredible growth, and increases in efficiency, on top of it,” said Sir Tim.

“The licensing idea would have left us stuck in the days of dial-up and walled gardens,” he concluded.

Berners-Lee expressed great enthusiasm for web apps and a future featuring user-owned pieces of cloud. Asked about what he felt were the greatest security issues on the net, Sir Tim said that this wasn’t his field of expertise but said that “as a user” he was “amazed” that secure, encrypted email exchanges using PKI technologies had not become the norm. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/14/berners_lee_rsa/

Publicly listed companies in the US have been asked to disclose when they’ve been hacked, according to new guidance issued by the Securities and Exchange Commission.

The market regulator has let firms know that they can no longer hide cyber attacks if that attack could cause financial damage to the company or make the financial information available to potential investors misleading.

Here’s the formal language on the guidance:

Registrants should address cybersecurity risks and cyber incidents in their MDA [management discussion and analysis] if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.

The new guidelines come at a time that more and more prominent and trusted companies become the victims of cybercrime.

Just this week, Sony warned users about a massive brute-force attack against PlayStation and Sony network accounts, of which 93,000 were compromised. And that came just a few months after the whole PlayStation network had to be shut down after a hack attack.

More worryingly, major bank Citigroup was breached in June and the data of 360,000 accounts was exposed.

High-profile hacks like these and the cyber attacks on Google, the US Air Force and the International Monetary Fund have got mere punters worried about security, but the poor old investors are even more concerned because they might lose some money by buying shares in cyber-vulnerable companies.

US Senator Jay Rockefeller had asked the SEC to issue the guidelines to help investors make more informed decisions.

“Intellectual property worth billions of dollars has been stolen by cyber criminals, and investors have been kept completely in the dark. This guidance changes everything,” Rockefeller said in a statement, according to Reuters.

“It will allow the market to evaluate companies in part based on their ability to keep their networks secure. We want an informed market and informed consumers, and this is how we do it.”

A spokesperson for the Financial Services Authority in the UK told The Register that cyber attacks “would come under our listing rules, which state that companies have to disclose material information”. So there’s no specific guidance on hacks, but anything that might affect a firm’s financials should be disclosed. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/14/sec_hack_attacks/

A Mississippi woman has accused Facebook of violating federal wiretap statutes by tracking her internet browsing history even when she wasn’t logged onto the social networking site.

In a lawsuit filed on Wednesday in federal court in the northern district of Mississippi, Brooke Rutledge of Lafayette County, Mississippi, also asserted claims for breach of contract, unjust enrichment, trespassing, and invasion of privacy.

The complaint, which seeks class-action status so other users can join, comes three weeks after Australian blogger Nik Cubrilovic published evidence that Facebook “Like” buttons scattered across the web allowed Facebook to track users’ browsing habits even when they were signed out of their accounts.

“Leading up to September 23, 2011, Facebook tracked, collected, and stored its users’ wire or electronic communications, including but not limited to portions of their internet browsing history even when the users were not logged-in to Facebook,” the 17-page complaint stated. “Plaintiff did not give consent or otherwise authorize Facebook to intercept, track, collect, and store her wire or electronic communications, including but not limited to her internet browsing history when not logged-in to Facebook.”

The complaint claims the behavior violated provisions of Facebook’s own privacy policy that state: “If you’re logged out or don’t have a Facebook account and visit a website with the Like button or another social plugin, your browser sends us a more limited set of information. For example, because you’re not logged in to Facebook, we don’t receive your User ID.”

But according to Cubrilovic Facebook cookies containing unique identifiers remain on a user’s hard drive and are sent back to the social network each time he visits a third-party site containing a Facebook Like icon.

“Even when you are logged out, Facebook still knows and can track every page you visit,” Cubrilovic wrote.

Facebook has since said that many of the cookies Cubrilovic referred to are intended to foil spam and phishing attacks and that not all of the data sent back to the social networking site is logged.

Wednesday’s complaint is the latest to seek redress for alleged privacy violations that result from cookies and other files that websites use to track the browsing habits of their visitors. In the past 18 months, Disney, Microsoft, McDonalds, and others have all been sued, often for using technologies that respawn tracking cookies even after users have deleted them. Many of them have been tossed out of court because plaintiffs couldn’t quantify monetary damages that resulted from the practice.

Facebook representatives didn’t respond to an email seeking comment for this post. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/14/facebook_tracking_lawsuit/

An Australian security researcher has found himself questioned by police and threatened by a commercial law firm – for reporting a vulnerability to a financial company.

Proving that shoot-the-messenger ham-fistedness isn’t dead, First State Super – which handles much of the superannuation of the NSW public service, among other things – exhibited with a Website flaw so basic the customer should be seeking out the designer with pitchforks and torches, and wants to punish the researcher for alerting it to the problem.

The sequence of events, first reported on Patrick Gray’s Risky Business, runs like this: Patrick Webster of OSI Security identified a direct object reference bug while examining his own superannuation (“pension fund” to Americans) account, in which his account ID was embedded in the URL. Incrementing the URL took him to someone else’s account.

Webster notified First State Super with – and this seems to have been his error – a proof-of-concept in the form of a Bash script. However, somewhere in the escalation chain of First State Super, someone apparently has the bit between his/her teeth and won’t let go.

First, according to the initial Risky Business report, police were called, and questioned Webster on the evening of October 12. Next, First State Super admitted its problem, fixed the bug, and notified users (along with giving them information regarding how they could change their account numbers if they wished).

And today (Friday 14), First State has escalated its war on the messenger, suspending Webster’s account on the basis of a breach of terms and conditions, and engaging lawyers Minter Ellison to demand access to Webster’s computer (to verify deletion of account statements not his own) and threatens to seek costs from Webster.

The letter also makes reference to the computer access provisions of the NSW Crimes Act and Commonwealth Criminal Code, apparently perpetuating the debatable belief that altering a URL constitutes “hacking” or at least “unauthorised access to a computer” – something which could entertain a capable defence lawyer.

As Gray writes: “It was Pillar Administration and First State Superannuation’s diabolical violation of good practice that exposed members’ details, not Webster’s actions.”

First State Super’s CEO Michael Dwyer told Gray that the threats are “just a matter of procedure … regardless of them being a computer expert with a point to prove”, but conceded that First State Super’s security testing “has not been adequate”.

However, Dwyer still seemed somewhat confused at the nature of the vulnerability, later seeming to assert that Webster “knows how to crack a firewall” (it’s about six minutes into the recorded interview with Gray linked from his story). He did, however, seem to offer the opinion that matters will be resolved without too much blood being spilled; what seems on the outside to be needlessly aggressive is, it appears, all down to procedure. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/14/first_state_super_shoots_messenger/