STE WILLIAMS

Northumbria Police Authority woke up to a host of security problems after the August bank holiday weekend.

Not only was the UK police regulation authority defaced by a foul-mouthed Tunisian hacker, who made reference to the Anonymous hacking collective, but the law-enforcement authority was placed in the more serious position of playing host to a PayPal phishing page.

The defacement stated: “The Northumbria Police Authority website was hacked by lamine Foued ( Dr.F0u3D). F*ck You admin. Freedom For T.H.T Anonymous Tunisia :D.”

As GFI Software notes, even after the defacement had been cleaned up, Northumbria Police Authority’s server was still being used to host a PayPal phishing page. Low-level crooks behind this type of scam often use resources on legitimate servers. The incident is nonetheless more than a little embarrassing for the police authority, a civilian body that oversees the activities of local police in the area around Newcastle upon Tyne.

Chris Boyd of GFI Software has reported the PayPal phish to police-service web admins, who would be well advised to give the site a once-over for any further (as yet unidentified) problems. The incident illustrates that as well as opening the door to digital graffiti artists, website vulnerabilities also create a means for miscreants to mount more troublesome attacks. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/31/northumbria_police_authority_site_hack/

A federal judge is allowing a lawsuit to proceed against a laptop-tracking service that surreptitiously intercepted explicit images from a public school teacher during an investigation of a stolen computer.

Susan Clements-Jeffrey filed the suit against Absolute Software after one of its employees captured steamy chats and naked images of her and her out-of-state boyfriend, according to an article from Wired.com and other reports. The investigation, which intercepted images of the woman naked and her legs spread, commenced after a used computer she bought for $60 from one of her students had Absolute’s LoJack for Laptops installed on it – and the laptop turned out to be stolen property.

Clements-Jeffrey claims she first learned the laptop was stolen when police brandishing copies of the steamy images arrested her for possession of stolen property. The charges were dropped shortly after.

She sued Absolute, its employee, the city of Springfield, Ohio, and two of its police officers for violations of the Electronic Communications Privacy Act, which prohibits the secret interception and disclosure of contents from wire, oral, or electronic communications.

The defendants asked the judge hearing the case for a summary judgement finding that she had no reasonable expectation of privacy because the computer she was using was stolen. The price of the laptop and a serial number that had been scratched off should have tipped her off that the machine had been misappropriated, they argued in a motion that asked the suit be resolved in their favor.

US District Judge Walter Rice of the southern district of Ohio declined. He said there were grounds to believe the defendants had gone too far and that the matter would be better decided by a jury.

“It is one thing to cause a stolen computer to report its IP address or its geographical location in an effort to track it down,” Rice wrote. “It is something entirely different to violate federal wiretapping laws by intercepting the electronic communications of the person using the stolen laptop.”

It’s too early to know how the case will turn out, but it’s likely Clements-Jeffrey and her boyfriend have radically altered their expectations of privacy when it comes to internet communications. More from the Internet Cases blog and Forbes here and here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/31/laptop_tracking_wiretap/

Maintainers of the open-source Apache webserver have fixed a severe weakness that attackers are exploiting to crash websites.

Flaws in Apache’s HTTP daemon made it easy to crash servers using publicly available software released last week. The bugs in the way the HTTPD processed multiple web requests that involved overlapping byte ranges allowed attackers to overwhelm servers by sending them a modest amount of traffic.

An advisory on Apache’s website said the bug, formally known as CVE-2011-3192 has been fixed in version 2.2.20.

“We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade,” the advisory stated. “Active use” of the attack tool has been observed.

One of the bugs fixed in the update was specific to Apache, while a second flaw has been known since 2007, and possibly involves all webservers, an Apache bulletin said. The Internet Engineering Task Force is considering changing the underlying protocol responsible for the problem, Apache said.

Versions 1.3.x and 2.0.x through 2.0.64 contain the denial-of-service vulnerabilities. They can be triggered by a single web request that contains overlapping byte ranges for a specific page.

“The problem is that currently such requests internally explode into 100’s of large fetches, all of which are kept in memory in an inefficient way,” Apache’s advisory explained. “This is being addressed in two ways. By making things more efficient. And by weeding out or simplifying requests deemed too unwieldy.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/30/apache_dos_vuln_patched/

The hack attack that minted a fraudulent authentication credential for Google.com may have affected hundreds of other websites, a review of source code for Google’s Chromium browser suggests.

A side-by-side review comparing code contained in an upcoming version of Chrome increased the number of secure sockets layer certificates hardcoded in the browser’s blacklist by 247. A comment accompanying the additions said: “Bad DigiNotar leaf certificates for non-Google sites.”

As previously reported, Microsoft, Google, Firefox, and other software makers announced updates on Monday to prevent their products from trusting SSL certificates issued by DigiNotar. They took the unprecedented move following Monday’s discovery that the Netherlands-based certificate authority had issued a bogus certificate for Gmail, Google Docs, and other Google services that was being used to target people in Iran.

In a press release that raised new concerns, DigiNotar said on Tuesday that a July 19 attack on its certificate authority system resulted in forgeries being issued for “a number of domains” including Google’s, but declined to specify the names or give a precise number. In a later interview with IDG News, a DigiNotar spokesman put the figure at “several dozen.”

The vacuum of information from DigiNotar has left researchers scrambling to figure out exactly how many sites might be affected. Exhibit A is the Chrome differential showing the number of “static const unsigned kNumSerials” equalling 257, compared to 10 in the previous version. The constant variable refers to the number of serial numbers enumerated in a list of blacklisted certificates.

Exhibit B is this list, compiled from DigiNotar’s certificate revocation list. It shows that a little more than 100 certificates have been cancelled by the certificate authority since June.

It’s impossible to say if all of Monday’s changes to Chrome’s “static const unsigned kNumSerials” involved certificates for separate web addresses. A Google spokesman didn’t respond to an email asking for an explanation of the changes.

But the increase in serial numbers, combined with the comments “seem pretty indicative” that Chrome has purged hundreds of non-Google certificates issued by DigiNotar, said Andrew Storms, director of security operations at nCircle. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/30/google_chrome_certificate_blacklist/

A counterfeit credential authenticating Gmail and other sensitive Google services was the result of a network intrusion suffered by DigiNotar, the parent company of the Netherlands-based certificate authority said in a press release that raised disturbing new questions about security on the internet.

Tuesday’s disclosure by Chicago-based Vasco Data Security came as a growing roster of companies updated their software products to prevent them from trusting certificates issued by DigiNotar. At least one of them cited unconfirmed reports that the fraudulent certificate that came to light on Monday was used to spy on the electronic communications of people in Iran.

Vasco said in its statement that a July 19 breach of DigiNotar’s certificate authority system resulted in fraudulent secure sockets layer certificates being issued for a “number of domains, including Google.com.” The statement didn’t specify the names or number of the additional domains, and representatives from both Vasco and DigiNotar didn’t respond to emails seeking those details.

“The attack was targeted solely at DigiNotar’s certificate authority infrastructure for issuing SSL and EVSSL certificates,” the statement read. The company has suspended certificate services pending additional security audits by third-party firms.

An earlier audit following the breach unearthed the issuance of counterfeit certificates used by banking, email, and other sensitive services to cryptographically prove their sites are authentic rather than forgeries. DigiNotar believed that all fraudulent certificates had been revoked, but Monday’s discovery of a valid certificate authenticating Gmail, Google Docs, and other sensitive services was dramatic proof to the contrary.

According to an unconfirmed post on a Google support forum, the wildcard certificate for *.google.com was presented to users of ParsOnline and other Iranian ISPs when they accessed Gmail. In a post published on Monday, Google repeated the claim but didn’t say if there was any evidence to back it up. Google representatives didn’t respond to an email seeking clarification.

“To help deter unwanted surveillance, we recommend that users, especially those in Iran, keep their web browsers and operating systems up to date and pay attention to web browser security warnings,” Heather Adkins, Google’s information security manager, wrote in the post.

Microsoft, Google, and Mozilla also prepared updates that prevented their software from trusting certificates signed by DigiNotar. Microsoft’s changes take immediate effect for users of Vista and later operating systems. Users of Windows XP will have to wait for a software update. Fixes from Google and Mozilla involve fixes to the Chrome and Firefox browsers and the Thunderbird and SeaMonkey email programs.

Apple has yet to warn its users of the risk or say how it plans to respond. Its Safari accounts for about 5 percent of the worldwide browser market.

Bogus cert flagged by Google-baked protection

Google’s Adkins said that a protection recently added to the Chrome browser helped end users detect the fraudulent certificate even though it was signed by a trusted authority. The Google-created feature is known as pinning, and offers an additional layer of security by checking a cryptographic hash of an SSL certificate’s public key. It works only when Chrome users are visiting Google websites, although the browser may consider adding “large, high security” sites, according to this post, which offers additional technical details.

Tuesday’s statement from Vasco is troubling because of the crucial information it omits. If an earlier audit failed to spot the wildcard Google certificate, what other forgeries that should stick out like a sore thumb have gone unnoticed? And if the intrusion of DigiNotar’s systems happened on July 19, why didn’t the company issue warnings earlier so software companies could blacklist them from their products?

A spokesman for DigiNotar told The Register that it would “be difficult” for him to respond to questions about the security breach and the resulting effects it has on end users. This only seems to reinforce the notion that CAs see themselves as too big to fail and aren’t accountable to end users. So for now, users would be well-served by removing DigiNotar’s root-signing key from all applications they use to access the internet.

Mozilla has provided instructions here for purging the key from Firefox, and the process is almost identical for Thunderbird. Those using Opera, Safari and other programs not mentioned in this article are invited to leave directions for disabling DigiNotar in the comments section below. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/30/fraudulent_google_cert_update/

Tony Sale, the leader of the project to rebuild the code-breaking Colossus computer, has died at the age of 80.

Sale and his wife Margaret were part of the team which, in 1991, undertook the campaign to save Bletchley Park, the site where World War II code-breakers worked to crack the German High Command’s communications.

Two years later, he headed up the project to rebuild the Colossus – the world’s first electronic computer – which had been designed to decipher the encryptions of the Germans’ Lorenz machine. Breaking the Enigma and Lorenz codes helped the Allies shorten the war by months and probably saved thousands of lives.

The Colossus project was “daunting and hugely complex” as the team only had small fragments of information to work with, according to the National Museum of Computing (TNMOC), which Sale co-founded.

Sale was born in 1931 and showed a keen interest in engineering and electronics from an early age, building his first robot out of Meccano, the museum said.

His career started in the Royal Air Force, where he was a flying officer and lectured on radar. He then spent five years at Marconi’s Research Laboratories from 1952, after which he joined MI5, where he became principal scientific officer.

During the ’60s and ’70s he was involved in a number of software companies before he became interested in computer restoration work in the 1980s.

“Tony Sale’s passing is a tremendous loss to us all on a personal and professional basis,” said Andy Clark, chairman of TNMOC trustees.

“Tony’s contributions to the National Museum of Computing have been immense and I am quite sure that without his remarkable talents, enthusiasm and drive, the museum would not have come into existence. The rebuilding of a functioning Colossus Mk II, Tony’s homage to the wartime code-breakers of the Lorenz cipher at Bletchley Park, is such a remarkable piece of work that it will forever be the model of excellence to which the museum aspires.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/30/tony_sale_rebuilder_of_colossus_dies/

For the last 12 months it has been illegal to buy a mobile phone in China without presenting ID, but Chinese customers seem as reluctant to be identified as everyone else.

Just like Google, the Chinese are concerned about the use of false, or non-existent, identities in the online world. Rumours abound that local versions of Twitter will soon require real names to be used, and since 1 June one can’t even get a high-speed train ticket without presenting a state-issued ID, but attempts to lock down the identity of mobile phone users have proved more challenging.

China’s real-name registration system was introduced a year ago, in an attempt to reduce the number of anonymously owned phone numbers, but an investigation by local publication IT Times demonstrates that Chinese retailers are more than willing to help customers fake the data to get the sale.

Unlike contract phones, prepaid accounts don’t need to be connected to a named individual: no credit is given so no one has to be responsible for that credit. It is not anonymity which drove the popularity of prepaid accounts, but the lack of credit check and paperwork certainly contributed along with the utility for those who need to watch every penny they spend. But the lack of real identities attached to these accounts also means no one knows who the users are.

With the notable exception of the USA, prepaid accounts dominate almost everywhere in the world, and governments are starting to demand an identity to go with every phone number. The idea is to help prevent crimes – from crank-calling to terrorism – being committed anonymously, but opponents argue that such crimes going unpunished is a price worth paying for a little anonymity.

Some countries simply passed laws requiring existing users to identify themselves, or face being cut off. China instead adopted a policy that only required new purchases to be backed with a valid state ID number. The idea was that renewals and replacements would gradually migrate the customer base into being identified, but the policy has proved no more effective than the hard line adopted elsewhere.

The reporter from IT Times visited various mobile retailers in China, and found that they would happily provide fake details to get the sale, with one online retailer even boasting:

“Our SIM cards aren’t recycled from other people, and they aren’t all registered using one name over and over. These are new cards, automatically registered with a fake name and ID number so you don’t have to worry about getting spam text messages or other disturbances.”

In the UK one can still get a phone anonymously, though the operators don’t like it and incentivise their retailers (with cash) to get customer’s details. Operators want those details so they can sell us stuff. According to mobile-advertising specialists Blyk, the most valuable piece of information about you is where you live (with sex and age coming a low second and third respectively), so it’s something the operator wants to know.

It’s also something the government wants to know, though anecdotal evidence from India and Bangladesh (two countries where anonymous sales are forbidden) is that SIMs are still routinely sold without an accompanying identity, or with the most perfunctory check on the details. In many developing countries customers frequently own more than one SIM, to take advantage of differing tariffs. So in Pakistan (for example) buyers are limited to purchasing four SIMs at a time, and required to present identity documents, but SIMs are often sold on many times – so the ability to identify the original purchaser becomes of limited value.

Swiss Telecom (now Swisscom) pioneered the anonymous prepaid phone, but in 2004 it switched to an all-identified system – and the Swiss would never seek to circumvent such a law.

Other countries, including France, have always required an ID check before a SIM could be sold, thus avoiding the problem entirely. Germany introduced such a requirement in 2004, though it seems very few Germans were calling anonymously anyway. Virgin Mobile brought anonymous telephony to the USA in 2002, and despite various attempts to impose an identity requirement it is still possible to buy an anonymous phone in the USA.

It’s not clear what percentage of prepaid mobile phones remain anonymous, in the UK or anywhere else, but criminals can obviously obtain unregistered SIMs just about anywhere with varying degrees of effort. Only the operators have the exact figures, but it does seem that bribing customers (and, more importantly, retailers) can be extremely effective in gathering the required data.

When proposals for a British government database were rumoured last year the outcry was such that the Home Office felt it necessary to issue a statement saying that no such thing was planned. When an operator has a genuine financial incentive in knowing who its customers are then it will find out, so it is perhaps that specific incentive which is missing from China rather than enforcement of a year-old law. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/30/anonymous_mobiles_in_china/

The founders of The Pirate Bay have launched a Rapidshare knock-off called BayFiles. Anyone can upload material to the cyberlocker without creating an account. The site does not appear to be scanning for infringement.

Prepaid credit is available for €5 a month, or €45 a year. This allows freetards to fill their boots more quickly, since non-subscribers are limited to one download an hour. MoneyBookers is the payment agent for the site, which describes itself as a Hong Kong business. DNS records show Bayfiles.com registered with a Panamanian contact address.

As a sign of how effective current online enforcement legislation is, the site says it will “respect” take-down notices from copyright-holders. It hardly tarnishes the appeal to lose the odd file out of millions, and the cost is minimal.

Convicted copyright-breacher and Pirate Bay member Fredrik Neij positioned BayFiles as an alternative to Bittorrent for file-sharing in an interview at the TorrentFreak blog, which ran a promotion for the site.

“TPB has changed their sharing model, [and] so should the entertainment industries change their business model,” writes one enthusiastic prospective punter.

“The only blip on the horizon is the Digital Economy Act (DEA) and not only is that implementation ages away, and receding all the time, but even then it is still time to drink and be happy,” writes another.

But then even pirate-friendly file-sharing sites can be sunk by pirates.

The cyberlockers depend on paid subscriptions or on obliging the users to wait for the download to start, during which time advertisements are displayed. A program called JDownloader bypasses many of these roadblocks. One user’s description of the program reads: “Having this would mean that you get almost same functioanlity [sic] as a premium user of Rapidshare, without spending any money!” The source code is increasingly used by NAS manufacturers to make their media servers more attractive by automating the download process.

The funding behind BayFiles remains a mystery. The Pirate Bay’s millionaire backer and largest shareholder is neo-fascist Carl Lundström, who was thrown out of the far-right New Democracy party for being too right wing. One web report suggests Lundstrom is also behind BayFiles, but this is unconfirmed. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/30/pirate_bay_cyberlocker/

Malicious spam messages generated by the infamous Cutwail botnet are targeting Facebook users as potential banking Trojan victims.

The messages arrive in the guise of a Facebook friend invite notification. The emails look genuine enough on casual inspection, thanks to the malware-spinners’ apparent use of a genuine Facebook template. But where a genuine Facebook invite contains links to the real social networking site, the malicious emails feature custom links to malware sites. In addition, the emails differ from the genuine article because they do not feature Facebook profile photos. The recipient’s email address is also absent from the fine print at the bottom of the bogus invites.

Users tricked into clicking on the malicious link are exposed to a double-barrelled malware based attack. Firstly they are offered a bogus Adobe Flash update. In addition, clicking on the link opens a hidden iFrame, which then loads data from a remote server hosting the Blackhole Exploit Kit. The exploit kit attempts to exploit browser security holes, most notably involving insecure Java installations.

Both techniques attempt to download a variant of the infamous ZeuS banking Trojan onto compromised systems. Impersonating email notifications from Facebook is a common enough technique among spammers and purveyors of survey scams, but we’ve never seen it applied to punt banking Trojans before.

A full write-up of the scam can be found in a blog post by M86 Security here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/30/facebook_spam_punts_zeus_trojan/

WikiLeaks has sprung a “leak” that has reportedly resulted in the availability of unredacted copies of US diplomatic cables, according to German media outlets. WikiLeaks has admitted some sort of unspecified infosec problem while denying suggestions that its cache of US diplomatic cables has been exposed.

The whistle-blowing website has published carefully edited extracts of the cables in conjunction with its media partners since last autumn, creating a huge diplomatic and political fuss in the process. These extracts were carefully edited to remove sensitive data such as the names of US spies and informers.

Encrypted copies of the raw file were placed on WikiLeaks systems. WikiLeaks founder Julian Assange™ reportedly shared the passcode to this file with trusted contacts.

German paper Der Freitag said last weekend that it had obtained access to the 1.73GB file (called cables.csv) and the passcode needed to decrypt it. Data contained in the file includes the names of US agents in Israel, Jordan and Iran.

Der Spiegel confirmed the leak and implied that OpenLeaks, a rival whistle-blowing website founded by disaffected WikiLeaks members last year, might have at least pointed Der Freitag towards the leaked file and password in a bid to highlight alleged security shortcomings at WikiLeaks. This remains unconfirmed.

It is not the first time WikiLeaks has lost control of the cables database, as Wired notes. Last year a WikiLeaks member gave access to the database to a freelance reporter, Heather Brooke, without the permission of Assange.

Meanwhile WikiLeaks has downplayed the significance of the leak, arguing that even talk of a leak is overstating the situation. It still has not really explained its alternative version of events in a series of updates to its Twitter account on Monday.

“WikiLeaks ‘insurance’ files have not been decrypted. All press are currently misreporting. There is an issue, but not that issue,” it said.

“There has been no ‘leak at WikiLeaks’. The issue relates to a mainstream media partner and a malicious individual,” it added.

What’s not in dispute is that after months of inactivity WikiLeaks began publishing hundreds of the remaining US diplomatic cables last week. In between publishing extracts of these authorised releases, the whistle-blowing website is hurling insults at its enemies in the mainstream media, most notably its former partner the New York Times, which it describes as “drooling, senile, and evil” over “totally false” suggestions that any WikiLeaks sources have been exposed or will be exposed. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/30/wikileaks_leak_row/