STE WILLIAMS

After hack nightmare, Sony bars lawsuits with new TOS

After getting the pants sued off it for security breaches that exposed personal information connected to more than 100 million online accounts, Sony is requiring subscribers to waive their right to wage class-action lawsuits for almost any reason.

Sony dropped the bombshell in an updated terms of service and user agreement (PDF) on one of its websites. It requires people with accounts on Sony’s PlayStation Network or other online services to seek binding arbitration with an arbitrator of the company’s choosing instead of exercising their right to have a judge or jury hear their case. Legal claims can only be filed if the dispute isn’t resolved through arbitration in a timely manner.

The terms go on to state:

ANY DISPUTE RESOLUTION PROCEEDINGS, WHETHER IN ARBITRATION OR COURT, WILL BE CONDUCTED ONLY ON AN INDIVIDUAL BASIS AND NOT IN A CLASS OR REPRESENTATIVE ACTION OR AS A NAMED OR UNNAMED MEMBER IN A CLASS, CONSOLIDATED, REPRESENTATIVE OR PRIVATE ATTORNEY GENERAL LEGALACTION, UNLESS BOTH YOU AND THE SONY ENTITY WITH WHICH YOU HAVE A DISPUTE SPECIFICALLY AGREE TO DO SO IN WRITING FOLLOWING INITIATION OF THE ARBITRATION.

Sony subscribers will be required to agree to the terms the next time they sign into their accounts – effective Thursday – if they want to continue using the online services.

The changes come five months after an attack on the PlayStation Network exposed names, addresses, email addresses, passwords, and other sensitive data for 77 million accounts. Sony shuttered the service for 40 days while it cleaned up the mess. In the weeks following, attacks were found to hit Sony Online Entertainment, the company’s computer games service, and the Sony Pictures website, exposing personal information for 25 million more accounts.

In July Sony’s insurance company filed a lawsuit that argued its policy didn’t apply to a raft of class-action lawsuits filed in response to the high-profile security breaches.

The terms of service give subscribers the ability of opt out of the class action require, but it will require them to do something many probably haven’t done in years, if ever – write a letter on paper and send it to an address using the postal service.

The instructions:

YOUR WRITTEN NOTIFICATION MUST BE MAILED TO 6080 CENTER DRIVE, 10TH FLOOR, LOS ANGELES, CA 90045, ATTN: LEGAL DEPARTMENT/ARBITRATION AND MUST INCLUDE: (1) YOUR NAME, (2) YOUR ADDRESS, (3) YOUR PSN ACCOUNT NUMBER, IF YOU HAVE ONE, AND (4) A CLEAR STATEMENT THAT YOU DO NOT WISH TO RESOLVE DISPUTES WITH ANY SONY ENTITY THROUGH ARBITRATION.

Anyone got a stamp? ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/16/sony_bars_class_action_suits/

Security firms: Android malware set to skyrocket

Android malware threats could increase by a factor of 60 over the next six months, according to Romanian security pros.

The rise, if realised, could see the number of Android mobile malware samples increasing from 200 now to 12,000 by March 2012. Many examples of Android malware involve the insertion of malicious code into legitimate applications before they are uploaded to third-party Android marketplaces.

During a demonstration on Tuesday, BitDefender security researchers showed it was possible perform this task with just 10 lines of base script. In most cases, users can avoid becoming victims by reviewing the “permissions” that an item of software requests before agreeing to install an app. For example, there is no legitimate reason why a torch app would need the ability to send SMS messages.

“The trouble with permissions is that ultimately falls down to user choice and interpretation,” Viorel Canja, head of anti-malware and anti-spam labs at BitDefender told El Reg. “It’s a repeat of the same problem we’ve had on the desktop.”

“If Google locks down its applications, it risks losing developer interest, something that happened to Symbian before it. Android is not yet the new Windows for malware but it is going that way at the moment,” he added.

BitDefender is developing a mobile security product for Android. The product, currently in beta, includes remote wipe and a filter designed to allow users to easily review application permissions as well as malware detection features. Under current plans, the software would be released free of charge to consumers but neither this or the release date for the software are confirmed. The application has been designed to minimise battery impact.

Rival security firm G Data agreed with BitDefender’s assessment that the rate of growth of mobile malware – which it reckoned grew by 273 per cent in the first half of 2011 – is only going to increase over the immediate future.

“With mobile malware, cyber criminals have discovered a new business model,” said Eddy Willems, security evangelist at G Data. “At the moment, the perpetrators mainly use backdoors, spy programs and expensive SMS services to harm their victims.

“Even though this special underground market segment is still being set up, we currently see an enormous risk potential for mobile devices and their users. We are therefore expecting another spurt of growth in the mobile malware sector in the second half of the year.”

The sophistication as well as the sheer number of malware strains targeting Android smartphones is increasing. For example, Trusteer warned earlier this week over the appearance of a strain of the SpyEye banking Trojan that infected Android smartphones in order to intercept text messages that many financial institutions use to prevent fraud, as explained in more detail in our earlier story here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/15/android_malware_skyrockets/

Newsnight presenter pwned by snarky hack

Nothing like hacking the official profile of a BBC presenter and filling it with snide comments about how he’s crap at maths, for a quick laugh.

Well, we assume it’s a laugh that has motivated the bitter rewrite of the Newsnight Scotland presenter Gordon Brewer’s BBC profile. See the screen grab below.

Gordon Brewer's BBC profile, credit BBC

The presenter bios tend to be light and jokey in style but this does not sound like the officially sanctioned version of the journalist’s life:

“Gordon began his journalistic career on The Shetland Times after any hopes of a more technical pursuit were cruelly exposed by a short period working for the oil industry at Sullom Voe. He still keeps a nervous eye on the main flare stack, where he was supposedly monitoring the paint thickness.”

We don’t know who could behind this snarky little hack but it could have been a mathematician, annoyed by the former business journalist’s supposedly weak grasp of mathematical concepts:

“This was his opportunity to stop being a business journalist and he reported from Europe, the United States, Russia and the Middle East without the slightest use of arithmetic.”

It could equally have been a Japanese person, annoyed at Gordon’s alleged failure to learn the Japanese language:

“Despite strenuous attempts to learn Japanese, the nearest he got to fluency was with cab drivers after an evening in the bar.”

On the other hand, it might not be a hack at all and could have come from someone within the Beeb with access to these things… and a grudge.

The rewrite seemed to take place last night and lots of people on Twitter had a merry time passing it around, but despite the flare-up it’s still in place this morning.

So, who did it then? Any of you commentards want to ‘fess up? ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/15/bbc_presenter_official_bio_rewritten_by_snide_hacker/

Feds probe naked Scarlett Johansson outrage

The FBI is probing hack attacks on celebs after nude photos of Scarlett Johansson were leaked onto the web last night.

“The FBI is investigating the person or groups responsible for a series of computer intrusions involving high-profile figures,” Laura Eimiller at the Federal Bureau of Investigation office in Los Angeles told AFP.

She refused to name any of the celebs involved “due to the pending nature” of the inquiry.

Nude photos and videos of High School Musical star Vanessa Hudgens were pinched from her email account and distributed online in March. She was reported to have gone to the feds over the incident.

Celeb tittle-tattle site TMZ said at the time that about 50 actors and musicians, including Johansson, were the victims of a gang of hackers who were targeting phones and computers looking for titillating photos and gossip.

“What traditionally was called computer intrusion can nowadays mean anything from compromise of a desktop, a laptop, an iPad, a phone or really any device with which one can access personal information via the internet,” Eimiller said last night.

Sophos Security’s Graham Cluley said celebrities deserved privacy on their personal phones and emails as much as anyone else, but the hacks should teach everyone an important lesson in security.

“If you must take nude photos of yourself, don’t leave them on your phone or store them in your email,” he said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/15/federal_investigators_hunt_hackers/

Hunt: Online file-sharing is a ‘direct assault on freedoms’

Search engines and internet service providers (ISPs) could be forced to make it harder for users to access copyright infringing content online under new UK communications laws, the Culture Secretary has said.

Jeremy Hunt said that the UK needed to “explore all options” that would make it more difficult for websites that “ignore the law”. He called online file-sharing “theft” that was “a direct assault on the freedoms and rights of creators of content to be rewarded fairly”.

Hunt told an audience at the Royal Television Festival (RTF) in Cambridge that the UK might ask search engines and ISPs to play more of a part in tackling online copyright infringement.

“We need to explore all options to make life more difficult for sites that ignore the law,” Hunt said in his speech.

“I believe these could include a responsibility on search engines and ISPs to take reasonable steps to make it harder to access sites that a court has deemed contain unlawful content or promote unlawful distribution of content,” Hunt said.

Hunt also said that a “cross-industry body” could be established and “charged with identifying infringing websites against which action could be taken”.

A “streamlined legal process” could also be set up to help courts “act quickly”, whilst responsibility could be placed on advertisers and credit card companies to remove adverts and services from copyright infringing sites, Hunt said.

Voluntary agreements could be set up to help provide solutions to online copyright infringement, but if they cannot be established the Government will propose new measures under law, Hunt said.

Earlier this year, Hunt announced that the government would conduct a review of UK communications laws. In May the government opened a consultation on new communications laws and sought feedback from media and communications businesses, including telephone providers, TV, radio and online publishers.

Evidence gathered from the consultation, which has now closed, would be used to inform proposals for a Communications Bill that could lead to a raft of new communications regulations coming into effect in 2015, Hunt said at the time.

In his RTF speech Hunt said that it was “fundamental” that freedoms and the law should “apply equally” online as they do “in the physical world”.

“We do not allow certain products to be sold in the shops on the high street, nor do we allow shops to be set up purely to sell counterfeited products,” Hunt said in his speech. “Likewise we should be entitled to make it more difficult to access sites that are dedicated to the infringement of copyright. Sites that are misleading customers and denying creators fair reward for their work.”

Free speech lobbyists labeled Hunt’s plans “very dangerous”.

“Jeremy Hunt is pushing new knee-jerk measures to pressurise private bodies into making decisions about who is breaking the law. That amounts to privatisation of justice, which is very dangerous,” Jim Killock, executive director of the Open Rights Group said.

“Mr Hunt also committed to seeking evidence before making copyright policy. We have today filed an FOI request asking for the evidence he has collected: we are willing to bet that he has not commissioned anything, and yet again, these are unbalanced, lobby-driven proposals,” Killock said.

Under UK copyright laws it is currently possible to force ISPs to block access to copyright-infringing material.

In July the Motion Picture Association (MPA) won a landmark High Court ruling against the UK’s biggest internet service provider (ISP) BT in which it successfully argued that BT should block its customers’ access to a website that provides links to pirated films.

The High Court made its ruling under section 97A of the Copyright Designs and Patents Act. That section gives UK courts the power to grant an injunction against an ISP if it had “actual knowledge” that someone had used its service to infringe copyright.

The Act does not specify what purpose an injunction must serve. Section 97A implements the requirements of the EU Copyright Directive which states that countries must ensure that copyright holders have the right to apply for injunctions against intermediaries, such as ISPs, whose services are used to infringe copyright.

The Court’s order was the first to force an ISP to block access to such a site under UK copyright laws.

An option to introduce additional new website blocking regulations under the Digital Economy Act (DEA) were shelved in August, although further regulations under the DEA that could allow copyright owners to obtain the details of illegal file-sharers from ISPs are expected to be introduced shortly.

The Culture Secretary also called for improved measures for tackling offensive online content, and said that the new communications laws could force ISPs to “ensure all their customers make an active choice about parental controls, either at the point of purchase or the point of account activation”.

In his speech Hunt also said that the UK needs a new “platform-neutral” framework to protect media plurality.

“In an age when consumers are moving freely from platform to platform we should not be restricting media operators from developing products that can follow their customers from TV to internet to smartphone to tablet,” Hunt said.

“But by the same merit we should measure their influence based on a sensible aggregation of consumer contact through those different types of media,” he said.

Hunt said he had asked Ofcom, the UK’s media regulator, to submit evidence to the Leveson Inquiry on “whether or not it is practical or advisable to set absolute limits on news market share; whether they believe a framework for measuring levels of plurality could or should include websites and if so which ones; and whether or how it should include the BBC”.

An Ofcom spokesperson told Out-Law.com earlier this week that it had been asked to submit evidence as part of the ongoing inquiry and that it “welcomes the opportunity to assist” in doing so.

The Leveson Inquiry was announced earlier this summer and primarily focuses on the culture, practices and ethics of the press. The Inquiry team, led by Lord Justice Leveson, is also responsible for making recommendations “for a more effective policy and regulatory regime which supports … the plurality of the media, and its independence” as well as advise on “how future concerns about … cross-media ownership should be dealt with”.

Hunt said that “independent regulators” should be able to launch investigations into media plurality if, and “propose remedies” to protect it, if its in the public interest even when companies are not in the process of discussing mergers or takeovers.

“A country’s character, the unique bonds that define its society and its democratic institutions are all shaped by its media,” Hunt said in his speech. “So we need to take special care to ensure we have vibrant, free – even raucous – debate. We need to ensure that there is the opportunity for multiple voices. And we must take care that power is never over-concentrated in a few hands,” he said.

Copyright © 2011, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/15/search_companies_and_isps_may_be_asked_by_gov_to_tackle_copyright_infringement/

MPs probe social networks’ position following riots

Policy wonks from Twitter, Facebook and BlackBerry faced MPs on the Home Affairs committee today who were carrying out a postmortem of the disorder across England last month.

Each company reiterated earlier statements that they operated within UK law when providing their communication services to their customers.

BlackBerry’s UK managing director Stephen Bates repeatedly said that the company’s messenger service (BBM) was “mostly used as a force for good”.

He added that such a social media tool could be used by law-abiding citizens and thugs who want to incite violence, much like any other communications tool.

Bates said there was “no dispute” that BBM – an instant messaging service that can be used, following an individual user’s consent, to send out information to a group of up to 30 individuals – “was used for malicious purposes”.

He pointed out that the mobile phone outfit’s 7 million customers in the UK represented a wide-ranging demographic of people.

“We do see within the Communications Act 2003 that the government has the power to suspend comms networks,” he said.

BlackBerry complies with the laws of the land in which it operates, said Bates.

“We work freely within requirements of law as required under RIPA [Regulation of Investigatory Powers Act 2000],” he said, and added it was important for politicians to fully engage with social media.

“Use it, don’t be scared of it,” said Bates.

Facebook’s director of policy, Richard Allan, compared the slowness of authorities’ responses to the rise of social networks to the slow pace at which police adapted to the early technology of cars.

“Police took a while to catch up with the motorised villain,” he said, because the “ability to catch burglars was quite different to those caught on foot”.

Allan was keen to dissuade Facebookers from using the platform to incite violence, as had been the case with a number of foolish individuals who used the site to urge people to riot in their local high streets in early August.

“Facebook is not a good platform for that kind of behaviour, it’s too visible,” he said.

“We’ve seen cases where people are prosecuted, and so they should be,” added Allan.

Facebook has several hundred employees based in Ireland, India and the US who constantly respond to users of the site who report abuse of the service including, for example, racist or homophobic remarks.

He described the 30 million people in the UK who use Facebook as being akin to a “Neighbourhood Watch” – a scheme where curtain-twitchers sign up to keep a lookout in their local residential area in an effort to keep their neighbourhood better alerted against criminal activity.

The Facebook policy man claimed that the network “increased the feeling of well-being” among its users because the service allows an individual to notify their friends and family that they are OK with “one click” of the update button.

Allan said that, like BlackBerry, his company responded to “generally received” RIPA requests from the police about the riots. He declined to provide a breakdown of that figure, however.

“People normally stick to rules,” he added, citing Facebook’s terms of service. “Where individuals step outside of that, we understand that we need to act.”

Allan said that politicos needed to work with a society that was “permanently connected” to the online world.

“We should assume this is going to be a reality henceforth”.

Twitter general counsel Alexander Macgillivray dismissed the idea that the micro-blogging service was good for organising criminal activity, and claimed the company had no evidence to show it was used for that purpose during the recent disorder in England.

“We often get lumped in with other media out there… we think of ourselves as quite distinct. People come to Twitter to say things publicly,” he said.

Twitter has 100 million users worldwide, however Macgillivray was unable to provide a breakdown for its UK market share.

He said that the idea of shutting down networks during social unrest, as recently mulled over and almost immediately rejected by Home Secretary Theresa May, “would be an absolutely horrible idea”.

However, Twitter – in contrast with Facebook and BlackBerry – appears to have a non-existent relationship with UK police.

Instead Macgillivray simply stated that data about who tweeted what when was publicly available to any organisation wishing to scrutinise the information. That would help them draw their own conclusions about the site’s role in the disorder that broke out in London, before moving to other cities within England for four days last month, he noted.

Home Affairs committee chair Keith Vaz MP asked for the companies’ views on the government’s power to close down networks during emergency situations.

“Our view is social media is a force for good. Legislation is there… If enacted we would meet our obligations,” said Bates.

“As a service provider you never would advocate for your service to be made unavailable,” said Allan.

Bates said it was “more acceptable” to respond to such a request where frameworks such as the one in the UK were in place.

Macgillivray batted the question aside.

“It’s clear from any communications device ever invented that some people will break the law,” he said, perhaps stating the most obvious point of the entire debate. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/15/home_affairs_committee_twitter_facebook_blackberry_england_riots/

Google offers opt-out from Wi-Fi router location database

Google offers opt-out from Wi-Fi router location database

  • alert
  • print
  • comment
  • tweet

Never offered an opt-in, though

Free whitepaper – IBM System Networking RackSwitch G8124

Google has given the owners of Wi-Fi routers around the world the right to opt out of a registry that the search giant uses to locate mobile phone users.

Currently Google uses location data tied to the unique codes of residential Wi-Fi routers to help triangulate the location of mobile devices.

Google made the change voluntarily, but it’s likely it was a pre-emptive move before the search giant was forced to do so by European courts. Google has been embroiled in a legal challenge to the practice from privacy regulators in Germany.

The privacy fight waged by the German government will have benefits globally as Google extends the opt-out offer to people around the world.

The main benefit to Google of tracking the location of phone owners is to allow the company to deliver location-specific adverts. Where Wi-Fi router information is not available, it may use the device’s GPS or the signatures of cellphone towers to locate a device.

The opt-out system should be in place by this autumn. ®

Free whitepaper – IBM BNT RackSwitch and IBM System Networking Solutions

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/15/google_allows_people_to_opt_out_of_the_location_data_that_they_harvest_from_residential_wifi_networks/

Kiwi rugby rats warned to keep eye on the hacker ball

New Zealand business owners gripped by Rugby World Cup fever have been warned to keep an eye on their PBXs during festivities.

The New Zealand Telecommunication Carriers Forum (TCF) claims that the incidence of PBX fraud has increased four-fold during 2010, with around 30 to 40 New Zealand companies getting hit by international PABX fraudsters every month.

The security breach occurs relatively easily when someone hacks into an unsecured voicemail system that allows incoming callers to dial extensions directly. The hackers then redirect internal DDI calls to an external international number.

The hacksters have jacked in and racked up international telephone calls worth hundreds of thousands of dollars, according to the TCF.

TCF CEO David Stone says that there is a real danger that the incidence of PBX fraud will increase during the Rugby World Cup.

“With so many tourists expected to visit New Zealand, international fraudsters may take the opportunity to target New Zealand for PBX hacking during this time,” he says.

He warns that securing a PBX is just as important as password-encrypting your PC. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/14/pabx_attack_while_rugby_on/

Windows 8 to ship with built-in malware protection

Microsoft’s next version of Windows will ship with “tons of security features,” including one that automatically scans boot drives for malware and a revamped version of the Windows Defender antivirus program, company executives said.

At the company’s BUILD conference in Anaheim, California on Tuesday, Corporate Vice President of Windows Planning and Ecosystem Michael Angiulo demonstrated an early version of Windows 8 that automatically scanned an infected USB drive used to boot the next generation operating system. Before the OS was able to load, the computer stopped the process and displayed a warning that the boot volume contained an “invalid signature” indicating it had been compromised.

He was able to get the valid version of Windows to load by turning off the system and turning it back on. The presentation starts around the 1:08 mark in the following video:

The technology making this possible is known as UEFI, short for Unified Extensible Firmware Interface. A successor to the BIOS ROM firmware that Microsoft operating systems have relied on since their beginning, UEFI was designed to shorten the time it takes a PC to start up. It was built by Intel, but is designed to work with a variety of CPU architectures.

“It’s not just about speed and having a boot that looks better,” Angiulo said during Tuesday’s keynote, referring to UEFI. “It’s about security, too.”

Steven Sinofsky, president of Microsoft’s Windows and Windows Live division, went on to say that Windows 8 developers “have taken Defender and we’ve actually built a whole new range of protection, all the way up though antimalware, antivirus.” Users are free to run Defender or security software supplied by another company. In all, the new OS will offer “tons of security features,” he added.

The company issued a statement Wednesday saying Windows 8 would include “low-level security features such as Secured Boot to help defeat classes of threats, and user facing features including Windows Defender and SmartScreen” spam-filtering. The statement didn’t elaborate.

Windows 8 will also offer a new way to log on to PCs equipped with a touchscreen. Sam Bowne, a security instructor at San Francisco City College, provided a screenshot here that describes the feature this way: “You choose the picture – and the gestures you use with it – to create a password that’s uniquely yours.”

Bowne and his students have been testing the security features in the new Windows beta, and he reported on their progress to The Register.

“There is built in antivirus, and it works!” he wrote “It stopped not only thr EICAR test file, but more than a dozen malware items in Metasploit. So it might be time to sell your Symantec stock.” ®

This article was updated to add comment from Bowne.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/14/windows_8_bundles_antivirus/

Intel goes virtual to root out rootkits

IDF 2011 Intel bought McAfee so it could bring antivirus and intrusion detection closer to the chip, and with DeepSafe – a technology that CEO Paul Otellini previewed at Intel Developer Forum in San Francisco this week – the company will be making good on that promise.

DeepSafe will put some of the antivirus code underneath the operating system, in a virtualization layer that makes use of the VT hardware-assisted virtualization that is part of all modern Core processors for PCs and Xeon processors for servers.

Intel's Candace Worley

McAfee’s GM of endpoint security

Candace Worley

DeepSafe will be the foundation of a number of different enterprise security products that the McAfee unit will roll out, beginning later this year. Joining Otellini on stage at IDF was Candace Worley, general manager of endpoint security at Intel’s McAfee unit, who showed of a beta of McAfee antivirus software that does kernel-mode rootkit prevention.

“The traditional approach is really a software-based approach, and the challenge of that approach is that malware – for example, rootkits – load and embed themselves at the kernel level of the operating system, making it very difficult for antivirus products to actually see them and clean them,” explained Worley.

“Using a combination of hardware and software allows us to monitor memory and processor activity, giving us a way of detecting the intrusion of unknown threats,” explained Worley. “This is a fundamentally different approach to security.”

Intel McAfee DeepSafe

Intel’s McAfee DeepSafe rides below the OS

Intel did not divulge exactly how DeepSafe works and if it would require customers to run their operating system images on an actual hypervisor for it to work. From the diagram above, it looks like McAfee has in essence created a security hypervisor layer that nonetheless will allow an operating system to think that it is running on bare metal, even though it isn’t. It stands to reason that this security hypervisor layer will not allow for virtual machine partitioning, and further than there will eventually be versions of it that ride below actual bare metal hypervisors, thus securing them.

Intel could obviously embed DeepSafe within ESXi, Xen, KVM, and Hyper-V hypervisors too, to secure virtual machine guests and their operating systems, but that would leave the hypervisor – which is really itself a kind of stripped down operating system with partitioning – exposed to security risks. It will be interesting to see how this plays out, and if McAfee will support the AMD-V virtualization extensions for Fusion PC and Opteron server chips from Advanced Micro Devices. While Intel did not mention Xeon processors specifically in the DeepSafe presentation, there is no technical reason why it could not be used to secure server workloads.

McAfee says that more than 1,200 new rootkits per day are detected out there on the networks of the world. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/14/intel_mcafee_deepsafe/