STE WILLIAMS

A man has been charged by police investigating web attacks allegedly carried out by hacking collective Anonymous against firms deemed to have acted against the whistleblower website Wikileaks.

Scotland Yard named student Peter David Gibson, 22, of Castleton Road, Hartlepool, Cleveland as one of the individuals alleged to have waged DDoS attacks on PayPal, Amazon, Mastercard, Bank of America, PayPal and Visa in December 2010.

He has been charged with conspiracy to “do an unauthorised act in relation to a computer, with intent to impair the operation of any computer or prevent or hinder access to any program or data held in a computer or to impair the operation of any such program or the reliability of such data,” said the Met.

Those are actions that are contrary to Section 1(1) of the Criminal Law Act 1977, it added.

The Computer Misuse Act, which carries maximum prison sentences of 10 years, was not cited by the police.

Gibson is expected to appear at City of Westminster Magistrates’ Court on 7 September.

Detectives at the specialist computer-crime unit quizzed Gibson in April this year.

He was one of six people arrested in connection to a UK police probe into “Operation Avenge Assange”.

The five other UK-based men – aged, 15, 16, 19, 20 and 26 – were arrested, following coordinated police raids in the West Midlands, Northants, Herts, Surrey and London, under the Computer Misuse Act in January this year.

It is alleged that the individuals set off Distributed Denial of Service attacks using a modified piece of open source software known as the Low Orbit Ion Cannon.

The program was used to send a constant stream of data to targeted websites in an effort to shutter the sites.

In July this year federal law-enforcement personnel in the US arrested 16 people accused of carrying out computer crimes that damaged or breached protected systems. Fourteen of these suspects, from 10 states across the US, were alleged to have been involved in “Operation Avenge Assange”.

Anonymous’s assault against PayPal, MasterCard, Visa, Amazon, and others was mounted after those firms cut off services to WikiLeaks, following publication by the whistle-blower site of classified US diplomatic memos. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/25/cops_charge_alleged_hacker/

If you’ve used the latest version of Firefox to visit a UK government website in the last few weeks, you may have noticed something unusual in the browser address bar.

Instead of highlighting, for example, direct.gov.uk, as you might expect from Firefox 6.0’s new domain-conscious security behaviour, only the gov.uk portion is shown in bold type.

Far from merely a cosmetic change, this actually indicates potentially insecure behaviour that could enable user cookies to be shared between different government-run websites.

Firefox uses Mozilla’s volunteer-maintained Public Suffix List to break down domain names into their component parts, enabling it essentially to determine which level of an address indicates its owner.

While anybody can register second-level domains such as example.com, some extensions require you to use the third level, such as example.co.uk and example.com.au.

The Public Suffix List sets out these registration policies for the world’s 300-odd top-level domains in a simple list form. It’s licensed under the GPL and also used by Chrome and some anti-spam software.

Because the PSL now classifies gov.uk as a single domain owned by a single entity, rather than thousands of different webmasters at thousands of departments, Firefox does too.

This, according to discussions on Mozilla’s bug-tracker, Bugzilla, could give rise to cookie leakage.

It is possible that a cookie set by, say, HM Revenue Customs could be read by, for example, Tower Hamlets Council or the British Embassy in Iraq.

But the risk is quite small, according to Mozilla Foundation volunteer Jothan Frakes, one of the half-dozen main contributors to the Public Suffix List.

In order for an HMRC cookie to be read by other government websites, HMRC would have to be setting cookies for the whole of .gov.uk, he said. An hmrc.gov.uk cookie would be safe.

Rather than some kind of government conspiracy, the problem appears to have been caused by an oversight, according to Simon McCalla, director of IT at .uk registry Nominet.

“We have not have received a request from anybody to formally change the policy for .gov.uk,” he said.

After being informed in May that the PSL contained incomplete information about .uk, Nominet submitted a change request, adding .gov.uk, .police.uk and others to the list, McCalla said.

The .gov.uk space appears to have been treated as if it has a single owner because, from Nominet’s perspective, it does – responsibility for .gov.uk and .ac.uk was delegated to JANET in 1996.

McCalla acknowledged that the result is less than ideal, and said Nominet will now ask JANET if it agrees that .gov.uk should be given a status on the PSL more equivalent to .co.uk.

“I think it will be dealt with very quickly,” he said. He added that maintaining an up-to-date entry for the UK on the voluntary, non-standards PSL is “not a part of Nominet’s operating procedures”.

Due in part to its age, .uk is an unusual case, having a mix of second- and third-level domain owners.

While most second-level domains, such as .org.uk and .co.uk, are managed by Nominet, a handful – such as british-library.uk and parliament.uk – belong to third parties. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/25/cookie_leak_bug_hits_gov_uk/

The US government should have to obtain a warrant before mobile phone providers have to hand over multiple geolocation data records about customers, a US judge has said.

In Europe, privacy watchdogs have called on geolocation data to be classed as personal data, information that can be used to identify someone. EU data protection laws set out special rules on how personal data can be used by organisations that hold it.

Mr Justice Garaufis said that an exception to privacy rights set out in the United States’ Fourth Amendment should not apply to the collection of multiple records of mobile users’ geolocation data.

The Fourth Amendment guarantees that “[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

An exception to those privacy rights exists under the Fourth Amendment when it states a “person has no legitimate expectation of privacy in information he voluntarily turns over to third parties,” a principle known as the “third-party-disclosure doctrine”.

“The fiction that the vast majority of the American population consents to warrantless government access to the records of a significant share of their movements by ‘choosing’ to carry a cellphone must be rejected,” the judge said in his ruling (22-page/673KB PDF).

“In light of drastic developments in technology, the Fourth Amendment doctrine must evolve to preserve cellphone user’s reasonable expectation of privacy in cumulative cell-site-location records,” he said.

The judge was ruling on whether to grant the US government a court order against mobile provider Verizon. The government had asked the court to issue an order forcing Verizon to hand over at least 113 days’ worth of geolocation data about an individual it said was under criminal investigation.

The government had asked for the order under the terms of the US’ Stored Communications Act.

The Act states that the US government can force “electronic communication service or remote computing service” providers to disclose information about customers – excluding the contents of communications – when the government obtains a court order for the disclosure. The Act states that a court should only issue an order if the government “offers specific and articulable facts showing that there are reasonable grounds” that the contents of information they are asking for is “relevant and material to an ongoing criminal investigation”.

The judge said that the legal standard for obtaining information under the provisions of the Act was “lower than the probable cause standard required for a search warrant” set out in the Fourth Amendment. He said the information the US government was looking for was “protected by the Fourth Amendment”.

“While the government’s monitoring of our thoughts may be the archetypical Orwellian intrusion, the government’s surveillance of our movements over a considerable time period through new technologies, such as the collection of cell-site-location records, without the protections of the Fourth Amendment, puts our country far closer to Oceania than our Constitution permits,” the judge said in his ruling.

“It is time that the courts begin to address whether revolutionary changes in technology require changes to existing Fourth Amendment doctrine. Here, the court concludes only that existing Fourth Amendment doctrine must be interpreted so as to afford constitutional protection to the cumulative cell-site-location records requested here. For the foregoing reasons the government’s motion for orders … is denied,” he said.

Copyright © 2011, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/25/us_judge_says_gov_should_have_a_warrant_to_obtain_geolocation_data/

The Home Secretary is expected to face fierce opposition from popular social network outfits today when she will ask them to consider restricting access to individuals in the aftermath of unrest in England earlier this month.

Theresa May is meeting with wonks from Blackberry, Facebook and Twitter, following evidence that, according to the Home Office, showed such messaging services were used to “coordinate criminality”.

The Home Office said that the talks would help the government decide whether it should be able to cut off access to such online tools when individuals are caught inciting violence on social networks.

May’s department didn’t blame the likes of Facebook, Twitter and Blackberry’s BBM service for being the cause of such disturbances as those that broke out in Hackney, Croydon, Birmingham and elsewhere for four days earlier this month.

But it did argue that the messaging services had been used to enable “criminals to communicate.”

That’s a claim which has already been shot down by an initial study of a database containing 2.5 million riot-related tweets that apparently demonstrates Twitter at least had many more reactionary posts to the unrest than messages calling on people to go out and loot shops.

UK’s national policing improvement agency chief tweets about Twitter

A similar analysis of Facebook and Blackberry’s BBM is yet to surface, however.

Both of those networks have been routinely cited in recent weeks by cops and courts who have cuffed and, in some cases, sentenced individuals to harsh terms for witlessly using such services to incite violence – even when their attempts were unsuccessful and only police turned up.

“We are working with the police to see what action can be taken to prevent access to those services by customers identified as perpetrators of disorder or other criminal action,” said the Home Office on Wednesday.

Meanwhile, privacy activists and human rights’ campaigners – including the Open Rights Group, Amnesty UK and Liberty – have written a letter to May in which they urge the Home Secretary to take a much more considered approach to what the collective sees as a knee-jerk reaction to the riots.

“First, we express serious concern about any such review of powers made in haste without proper consideration of the effects on legitimate communication, freedom of expression and privacy,” reads a statement on the Open Rights Group website.

“Second, that such reviews must take place transparently with details of the meetings with communications providers made public as soon as possible.

“Third, that any such review must proceed through a genuine multi-stakeholder process, involving not only communications providers but groups such as those representing citizens’ rights such as freedom of expression and privacy.”

Twitter and Blackberry declined to comment ahead of today’s meeting with the Home Office at lunchtime today. Facebook hadn’t got back to us at time of writing. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/25/home_office_social_networks_england_riots/

Comedian Nick Helm has secured the Funniest Joke of the Fringe 2011 title, after entertaining the Edinburgh crowds with this rib-tickler: “I needed a password eight characters long so I picked Snow White and the Seven Dwarves.”*

Nick Helm with his award. Photo: DAVE/PA

A triumphant Helm (pictured) said of his Dave TV honour: “I knew my joke was the funniest joke of all the other jokes in 2011. Thank you to Dave and all the people that voted for proving me right.”

Tim Vine, who last year took top spot with “I’ve just been on a once-in-a-lifetime holiday. I’ll tell you what, never again”, was back on the podium to collect the runner-up gong for the splendid: “Crime in multi-storey car parks. That is wrong on so many different levels.”

Here’s the 2011 top 10 in full:

1. Nick Helm: “I needed a password eight characters long so I picked Snow White and the Seven Dwarves.”
2. Tim Vine: “Crime in multi-storey car parks. That is wrong on so many different levels.”
3. Hannibal Buress: “People say ‘I’m taking it one day at a time.’ You know what? So is everybody. That’s how time works.”
4. Tim Key: “Drive Thru McDonalds was more expensive than I thought…once you’ve hired the car…”
5. Matt Kirshen: “I was playing chess with my friend and he said, ‘Let’s make this interesting’. So we stopped playing chess.”
6. Sarah Millican: “My mother told me, you don’t have to put anything in your mouth you don’t want to. Then she made me eat broccoli, which felt like double standards.”
7. Alan Sharp: “I was in a band which we called The Prevention, because we hoped people would say we were better than The Cure.”
8. Mark Watson: “Someone asked me recently – what would I rather give up, food or sex. Neither! I’m not falling for that one again, wife.”
9. Andrew Lawrence: “I admire these phone hackers. I think they have a lot of patience. I can’t even be bothered to check my OWN voicemails.”
10. DeAnne Smith: “My friend died doing what he loved… Heroin.”

The worst joke of the year went to a deserving Paul Daniels. The veteran magician took the wooden spoon for explaining to the audience of his Hair Today, Gone Tomorrow show: “I said to a fella ‘is there a BQ in Henley?’ He said ‘No, there’s an H, an E, an N an L and a Y…'”

Tim Vine also got a nod in the worst joke round-up for “Uncle Ben has died. No more Mr Rice Guy”, while Andrew Bird is doubtless now regretting he ever told the Fringe: “My wife’s eating for two. She’s not pregnant, just schizophrenic.” ®

Bootnote

*As far as we’re aware, it’s Snow White and the Seven Dwarfs. Apparently Tolkein is to blame for this “dwarves” business.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/25/fringe_gag/

A 36-year-old woman faced with a customs search at Bermuda’s LF Wade International Airport rather brilliantly responded by instantly shedding her clothes and telling officers: “If you want to see me naked, you can do it right fucking here.”

Loukai Phillips, a Bermudian native now living abroad, had just flown in from London on 19 August to close her bank account, but had to schedule in an appearance before magistrates on a “indecent exposure in a public place” rap following her protest strip.

Her lawyer, Charles Richardson, explained to the court that because of an unspecified “past association”, his client had been strip-searched every time she faced customs operatives.

He admitted it was “an impetuous decision”, but said Phillips “took her clothes off out of frustration”.

Phillips told airport cops: “I would never do it again, I’m just tired of being searched.”

Prosecutors demanded a fine as punishment for the outrage, since “children had been present and Phillips had repeatedly used bad language while removing her clothes”.

Magistrates, however, simply slapped her with a 12-month conditional discharge, noting: “If you don’t want to be searched, don’t come through customs.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/25/bermuda_customs/

Raytheon and the Home Office are in talks as the department tries to stop the company suing for unfair breach of contract over its sacking from the e-borders programme last year.

At the time, the e-borders agency said it had no confidence in the company. Immigration minister Damian Green said: “The government is determined to get value for money from its major contracts and requires the highest standard of performance from its suppliers.”

Raytheon’s chief executive wrote a letter to the Home Affairs Select Committee which was leaked to the Telegraph.

The letter claimed that: “Purported termination was unlawful and that Raytheon is entitled to recover substantial damages for wrongful termination… We have made counterclaims in the arbitration in excess of £500m in respect of these matters.”

The paper reckoned the committee would publish the letter later today, but a spokeswoman for the group said it was not sitting in Parliament and therefore not releasing anything today. We’re waiting to hear back from committee chairman Keith Vaz.

A spokesman for Raytheon told the Reg: “We properly and legitimately responded to a request for information from a senior Parliamentary committee. We’re not aware of how this letter was disclosed. However given that we are, as the report correctly states, in the midst of arbitration which is confidential, it would therefore not be appropriate to comment further.”

The Home Office confirmed talks were ongoing.

Raytheon was hired to act as systems integrator and overall project manager for the £1.2bn deal. Its sacking by the Home Office led to fears that the other providers including Serco, Detica, Accenture and QinetiQ would also see contracts disappear.

In 2010 to 2011, the system checked details of 126 million passengers against watchlists and made 2,800 arrests. This number included 18 people arrested in connection with murders, 27 nabbed in connection with rapes, 29 arrested in connection with sex offences and the arrest of 25 people accused of violent crimes.

The contract suffered the usual government IT programme failures as well as concerns from European regulators that compulsory checks on all journeys could be illegal under privacy and data protection laws.

Questions were also raised on its decision to use biometric technology rather than people to secure borders.

Damian Green was a vocal opponent of the deal when in opposition. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/25/government_raytheon_court/

Online vandals protesting the recent shutdown of cellphone service at San Francisco subway stations posted a nude photo of the transit agency spokesman who took responsibility for the highly controversial move.

The image of Linton Johnson, chief spokesman for Bay Area Rapid Transit, was posted Wednesday afternoon to a page on Weebly.com/, a site that makes it easy for people to publish their own web content. It shows Johnson pulling down a pair of red Addidas gym shorts to partially reveal his penis. His tee shirt is emblazoned with the word “stiff.”

The page included five other pictures in which Johnson is wearing pants. His cellphone number, personal email address and website are also included.

The page read: “LINTON JOHNSON  – ‘The Face Of BART’ If you are going to be a dick to the public, then Im sure you dont mind showing your dick to the public….”

The post is the latest act to protest BART’s move two weeks ago to temporarily disable mobile service in four stations ahead of planned demonstrations denouncing a fatal police shooting in July. On a conference call with reporters last week, Johnson said the suspension of service was his idea and was necessary to prevent overcrowding and other unsafe conditions in underground stations. Service was restored a few hours later, and signals outside BART stations weren’t affected.

Since that time, people flying the flag of the Anonymous hacking collective have posted personal information belonging to BART passengers and officers of BART’s police force to protest the suspension of service. They have also staged two protests that prompted police to briefly close some stations, but allow cellular service to remain uninterrupted.

It’s unclear where the racy picture of Johnson originated. In a Tweet from Tuesday, a user named dettman claimed to “have 14 embarrassing photos” of Johnson and gave the spokesman 24 hours to resign.

Johnson wasn’t available for comment, and BART representatives said they had no plans to comment on the photo. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/24/bart_official_exposed/

Maintainers of the Apache webserver are racing to patch a severe weakness that allows an attacker to use a single PC to completely crash a system and was first diagnosed 54 months ago.

Attack code dubbed “Apache Killer” that exploits the vulnerability in the way Apache handles HTTP-based range requests was published Friday on the Full-disclosure mailing list. By sending servers running versions 1.3 and 2 of Apache multiple GET requests containing overlapping byte ranges, an attacker can consume all memory on a target system.

“The behaviour when compressing the streams is devastating and can end up in rendering the underlying operating system unusable when the requests are sent parallely,” Kingcope, the researcher credited with writing and publishing the proof-of-concept attack code wrote Wednesday on Apache’s Bugzilla discussion list. “Symptoms are swapping to disk and killing of processes including but solely httpd processes.”

The denial-of-service attack works by abusing the routine web clients use to download only certain parts, or byte ranges, of an HTTP document from an Apache server. By stacking an HTTP header with multiple ranges, an attacker can easily cause a system to malfunction. On Wednesday morning, Apache developers said they expect to release a patch in the next 96 hours.

The Apache advisory contains several workarounds that admins can deploy in the meantime.

The susceptibility of Apache’s range handling to crippling DoS attacks was disclosed in January 2007 Michal Zalewski, a security researcher who has since taken a job with Google. He said at the time that both Apache and Microsoft’s competing IIS webserver were vulnerable to crippling DoS attacks because of the programs’ “bizarro implementation” of range header functionality based on the HTTP/1.1 standard.

“Combined with the functionality of window scaling (as per RFC 1323)), it is my impression that a lone, short request can be used to trick the server into firing gigabytes of bogus data into the void, regardless of the server file size, connection count, or keep-alive request number limits implemented by the administrator,” Zalewski wrote. “Whoops?”

In an email to The Register on Wednesday, Zalewski wrote: “Not sure why they haven’t done something about it back then, probably just haven’t noticed in absence of an exploit.”

The episode challenges the conventional wisdom repeated by many proponents of open-source software that flaws in freely available software get fixed faster than in proprietary code because everyday users are free to inspect the source code and report any vulnerabilities they find. Assuming that claim is true, the four-year weakness in Apache’s range-handling feature would appear to be an obvious exception.

About 235 million websites use Apache, making it the most widely used webserver with about 66 percent of the entire internet, according to figures released last month by Netcraft. IIS ranked second with more than 60 million sites, or about 17 percent.

In a statement issued several hours after this article was published, Microsoft spokesman Jerry Bryant said: “IIS 6.0 and later versions are not susceptible to this type of denial-of-service due to built in restrictions.” ®

Update

Trustwave’s SpiderLabs has provided a detailed technical analysis here along with instructions for mitigating attacks using the open-source ModSecurity firewall.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/24/devastating_apache_vuln/

Apple is planning to phase out unique device identifiers from iOS 5, according to documentation sent out to developers, possibly to stop people worrying about their privacy on iPhones and iPads.

Apple developers have been told that the serial number will be “deprecated” in iOS 5.0 and they should “create a unique identifier specific to your app”.

There has been some debate among developers on blogs and forums about the meaning of the word “deprecation”, but the majority seem to believe it signals a complete phase-out of the UDIDs. Or at least a phase-out of developer usage of the numbers, though Apple may still have access to them.

Christian Henschel, director of partner development at madvertise, told the Reg it was sometimes difficult to work out Apple’s intentions, adding “you never really know what those guys are up to”.

As of publication, Apple had not responded to requests for comment.

The main issue for app developers if the UDIDs are removed is in tracking their audience. While the number is not supposed to be connected to any personal information, it’s nevertheless useful for developers to know that UDID number X (a 40-digit alphanumeric string) has downloaded certain apps, uses them a certain number of times or spends so much time on them, etc. Some mobile ad networks also use the UDID to target their advertisements.

“I think it has some impact for developers because the most important thing for developers is to analyse their audience,” Henschel said.

He suggested that one reason Apple might be ditching UDID access is to stop people freaking out about how smartphones use the data they hold.

An article in the Wall Street Journal in December said that iPhone apps had passed on UDIDs along with location, gender and age information to outside ad companies. The makers of the apps in question said the data they passed on couldn’t be linked to an individual’s name. But these kind of fine-line privacy issues have thrown the spotlight on UDIDs.

“There are techniques to connect hardware to some software,” Henschel said, adding that the amount of information stored on smartphones alongside the UDID – such as Facebook or email login details – had led to fears about how it could be used.

Henschel also pointed to the recent spat between the notoriously secretive Apple and analytics firm Flurry as a possible spur for the move. In January, Flurry reported that it had identified around 50 tablet devices in testing at Apple’s campus in Cupertino using its analytics.

The ironic breach of Apple’s own privacy led Jobs and Co to change the iPhone’s SDK terms of service.

“Some company called Flurry had data on devices that we were using on our campus – new devices,” Jobs said live at the D8 conference in New York.

“They were getting this info by getting developers to put software in their apps that sent info back to this company! So we went through the roof. It’s violating our privacy policies, and it’s pissing us off! So we said we’re only going to allow analytics that don’t give our device info – only for the purpose of advertising.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/24/why_apple_is_phasing_out_unique_device_identifiers/