eBay-style outsourcing site PeoplePerHour says a rival firm faked emails which claimed to be offering the company’s customer database for sale.
The company initially feared that a disgruntled ex-contractor had swiped customer records and was offering them for sale to rival companies. The rivals declined the offer and tipped off PeoplePerHour.
Company founder Xenios Thrasyvoulou said: “We have now looked extensively into the matter, including getting the headers of the initial email that was sent to our competitors informing them that they have a database and contacting this supposed fraudster in India. We also got access to the email account via Google as we filed a fraud complaint with them.”
He said the email headers showed that the email could not have been sent from India where the contractor is supposedly based. Additionally the fake mails used an actual contractor’s name, but added a digit at the end.
Thrasyvoulou said: “So: all the evidence shows that someone (probably an envious competitor) got the name of a former contractor (which is very easy to get from places like LinkedIn etc), created a Gmail account in their name with a slightly different suffix and sent this out to competitors and the press. Its a lame attempt to hurt us.”
The company is confident no customer data was compromised.
The site is one of several offering “bid for a contractor” services to small businesses but we had no idea competition in this market was so cut-throat. ®
The Metropolitan police have arrested another man as part of its ongoing investigation into alleged phone-hacking at axed Sunday tabloid News of the World.
“On Thursday, 18 August, officers from Operation Weeting arrested a man [H], aged 38, on suspicion of conspiring to unlawfully intercept voicemails contrary to section 1(1) Criminal Law Act 1977,” said Scotland Yard in a brief statement this morning.
The unnamed man was cuffed by appointment at a London police station, where he remains in custody.
This arrest brings the total number of people allegedly associated with the NotW phone-hacking scandal to 13.
A Guardian report suggest that James Desborough, who joined the tabloid as a showbiz reporter in 2005 before being promoted to Hollywood editor in 2009, is the man currently being quizzed by police. ®
Updated Cryptographers have discovered a way to break the Advanced Encryption Standard used to protect everything from top-secret government documents to online banking transactions.
The technique, which was published in a paper (PDF) presented Wednesday as part of the Crypto 2011 cryptology conference in Santa Barbara, California, allows attackers to recover AES secret keys up to five times faster than previously possible. It introduces a technique known as biclique cryptanalysis to remove about two bits from 128-, 192-, and 256-bit keys.
“This research is groundbreaking because it is the first method of breaking single-key AES that is (slightly) faster than brute force,” Nate Lawson, a cryptographer and the principal of security consultancy Root Labs, wrote in an email. “However, it doesn’t compromise AES in any practical way.”
He said it would still take trillions of years to recover strong AES keys using the biclique technique, which is a variant of what’s known as a meet-in-the-middle cryptographic attack. This method works both from the inputs and outputs of AES towards the middle, reusing partial computation results to speed up the brute-force key search. The technique is designed to reduce the time it takes an attacker to recover the key.
Lawson continued:
This technique is a divide-and-conquer attack. To find an unknown key, they partition all the possible keys into a set of groups. This is possible because AES subkeys only have small differences between rounds. They can then perform a smaller search for the full key because they can reuse partial bits of the key in later phases of the computation.
It’s impressive work but there’s no better cipher to use than AES for now.
AES remains the favored cryptographic scheme of the US government. The National Institute of Standards and Technology commissioned AES in 2001 as a replacement for the DES, or Digital Encryption Standard, which was showing signs of its age.
The research is the work of Andrey Bogdanov of Katholieke Universiteit Leuven; Microsoft Research’s Dmitry Khovratovich; and Christian Rechberger of Ecole Normale Superieure in Paris. Bogdanov and Rechberger took leave from their positions to work on the project for Microsoft Research. ®
Update
Vulture Central has been deluged with missives from outraged readers complaining about the use of the word “broken” in the headline. “Broken” in cryptography is the result of any attack that is faster than brute force. The biclique technique described here allows attackers to recover keys up to five times faster than brute-force. AES may not be completely broken, but it’s broken nonetheless.
What’s more, theoretical attacks against widely used crypto algorithms often get better over time. As Root Labs’ Lawson has noted, MD5 wasn’t compromised in a single 2004 paper. Rather, people successively found better and better attacks against it, starting in the mid 1990’s.
Thanks to Reg reader Kevin 3 for bringing the facts to the discussion with this comment.
In case you ever wondered just what kind of preparation Afghan police recruits get in order to prepare them to face the Taliban, rest assured they’re offered the very latest in high-tech training technology.
For proof, check out the fourth snap in this slideshow from FOCUS online. Regular readers will note the same scrupulous attention to detail lavished on our own Playmobil reconstructions, including plastic trees, real sand and a lovingly-crafted building.
It’d be too easy to laugh at this initiative by German coppers to enlighten their Afghan counterparts as to just how you hold up the traffic while your colleague suspiciously eyes what appears to be a partially buried Smart Car, but the scene is notable for the conspicuous absence of Lego Taliban (pictured), meaning that in the world of Playmobil at least, the forces of justice always prevail. ®
Bootnote
Thanks to Matthias Toth for the tip-off.
Related stories
All of our own illuminating Playmobil set-ups can be found here.
A computer user who alleged that an advertising network breached US privacy laws did not prove she had suffered sufficient damages for those charges to be further examined, a US court has ruled.
Sonal Bose claimed that Interclick’s use of Flash cookies and “history sniffing” code “invaded her privacy, misappropriated personal information and interfered with the operation of her computer”, according to a district court in New York.
Cookies are small text files that websites store on internet users’ computers. The files record users’ activity on the site. Flash cookies are files stored by websites that use Adobe Flash media, such as in adverts or video clips. Flash cookies can also back up the data that is stored in a regular cookie. When you delete cookies using your browser controls, your Flash cookies are not affected. A website that served a cookie to you that you deleted may recognise you on your next visit if it backed up its now-deleted cookie data to a Flash cookie.
Advertising networks use cookies to track user behaviour on websites in order to target adverts to individuals based on that behaviour.
Interclick used Flash cookies to “respawn” cookies Bose had deleted, and used “history sniffing” code to determine content that Bose had viewed online. Both techniques helped Interclick serve Bose with targeted ads, she claimed, according to the ruling. Bose claimed Interclick’s activity violated the US Computer Fraud and Abuse Act (CFAA), the ruling said.
Under the CFAA a person is prohibited from causing damage by intentionally accessing a protected computer without consent. Unless a damages claim for violations of the CFAA exceeds $5,000 in a period of a year no action for damages can be taken against the company under the terms of the Act, the Act provides.
The CFAA states that only claims for “economic damages” can be made. The judge ruled that Interclick’s collection of Bose’s personal information did not raise an economic “injury” that was worth more than the $5,000 threshold. Bose had argued that Interclick had obtained information about her online activity without her permission as she had taken steps to delete cookies and protect her privacy.
“Even if Bose took steps to prevent the data collection, her injury is still insufficient to meet the statutory threshold,” the judge said in the ruling.
Bose also claimed that Interclick had “impaired the functioning and diminished the value” of her computer. The judge ruled that Bose had failed to “make any specific allegation as to the cost of repairing or investigation the alleged damage” and ruled that, as a result, Bose had failed to meet the damages threshold for that charge to be further investigated by the courts.
Bose’s third claim, that Interclick caused interference with the operation of her computer, was unsubstantiated and therefore failed to meet the damages threshold for pursuing the charge, the judge ruled.
“Even if a flash cookie may reach up to 100 kilobytes in size and may occupy space on Bose’s hard drive, Bose fails to demonstrate that the flash cookie caused damage, a slowdown, or a shutdown of her computer,” the judge said. “Thus, Bose’s claim of interruption of service is insufficient to meet the … threshold,” the judge said.
Bose’s case was part of a so-called “class action” against Interclick. Class action lawsuits are common in the US, where lawyers will earn large fees for organising many similarly affected people into bringing proceedings against organisations.
Bose had argued that her damages claims should be “aggregated” with other members of the class action, but the judge said that they could not.
“[Bose] here has failed to allege facts that would allow this Court to conclude that damages meet the … threshold, even when aggregated across the putative class,” the judge said.
A police officer working on Scotland Yard’s investigation into alleged phone-hacking at the now-defunct Sunday tabloid the News of the World was arrested by cops from the anti-corruption unit of the Metropolitan police late last week.
The Met said that on Thursday 18 August they cuffed “a serving MPS officer from Operation Weeting on suspicion of misconduct in a public office relating to unauthorised disclosure of information as a result of a proactive operation”.
They didn’t release the name of the officer, who was described as a 51-year-old male detective constable, and Scotland Yard only confirmed he had been arrested after releasing the man on bail until 29 September, pending further inquiries.
The officer was suspended from his job on Friday (19 August).
“I made it very clear when I took on this investigation the need for operational and information security. It is hugely disappointing that this may not have been adhered to,” said Deputy Assistant Commissioner Sue Akers, who is in charge of Operation Weeting.
“The MPS takes the unauthorised disclosure of information extremely seriously and has acted swiftly in making this arrest,” she added.
Meanwhile, a 35-year-old man was released on Friday, after being in police custody on suspicion of conspiring to unlawfully intercept voicemails.
He was bailed to return at a yet-to-be-determined date in October.
Reports suggested that former NotW features writer Dan Evans was the man arrested then bailed by police on Friday.
James Desborough, who joined the Sunday tabloid as a showbiz reporter in 2005 before being promoted to Hollywood editor in 2009, was arrested last Thursday as part of the Operation Weeting probe. ®
Microsoft has deleted code on its MSN website that secretly logged visitors’ browsing histories across multiple web properties, even when the users deleted browser cookies to elude tracking.
Microsoft announced the move in a tersely worded blog post published on Thursday. That’s the same day that a researcher revealed that MSN and three other Microsoft websites hosted JavaScript that uniquely identified users in the event they deleted tracking cookies from their hard drives. The code was copyrighted in 2007, indicating the practice may have been in place for more than four years.
To survive the cookie purges that many users perform to preserve their privacy, the JavaScript was stashed in a browser’s cache folder and contained two separate means to uniquely identify visitors. First, it included the MUID, or machine unique identifier, contained in the tracking cookie, along with instructions to recreate the file in the event it was no longer found in the browser’s cookie folder. The script also included the MUID in what’s known as an ETag that was also stored in the cache.
“We don’t really know what they were doing with this information, but it’s not obvious what this explanation would be,” said Jonathan Mayer, a graduate student in Stanford University’s computer science department, whose research brought the practice to light.
“The burden is on Microsoft to explain how it came to be there and how they used it and what they’re going to do to make sure it doesn’t happen again. As we turned over this ETag mechanism, we thought long and hard about how could they be using this legitimately. We couldn’t come up with anything.”
A spokeswoman at Microsoft’s outside PR firm declined to answer any questions about the practice, including whether it’s been discontinued on all Microsoft properties or only on MSN. She said no one inside Microsoft was available to speak about the issue.
The revelation comes as hundreds of sites including Hulu.com, Spotify, and GigaOm were recently observed using similar “cookie respawning” techniques, which are controversial because they resurrect the browsing history of users who take pains to erase them. In addition to the use of cache cookies and ETags, the respawning can also rely on cookies based on Adobe Flash, Microsoft SilverLight, and the HTML5 specification, making it hard for many people to evade.
The practice of issuing so-called supercookies and zombiecookies is the subject of numerous lawsuits. Last week, Microsoft and several other companies were dismissed from a suit alleging cookie respawning abuse because the plaintiff couldn’t quantify the monetary damages she suffered.
According to Mayer, the cookies respawned by the wlHelper.js JavaScript hosted on Microsoft sites allowed Microsoft to sync browsing histories across at least six sites, including bing.com, microsoft.com, msn.com, live.com, xbox.com, and atdmt.com, its ad-serving network.
In Thursday’s 225-word blog post, Microsoft Associate General Counsel Mike Hintze said Microsoft curtailed the practice after Mayer brought it to the company’s attention.
“We determined that the cookie behavior he observed was occurring under certain circumstances as a result of older code that was used only on our own sites, and was already scheduled to be discontinued,” he wrote. “We accelerated this process and quickly disabled this code. At no time did this functionality cause Microsoft cookie identifiers or data associated with those identifiers to be shared outside of Microsoft.”
For Mayer, who along with colleagues at the University of California at San Diego, UC Berkeley, and elsewhere have repeatedly documented websites that respawn cookies or sniff browsing history to track users against their wishes, he no longer believes companies when they say they can be trusted to police themselves.
“I really don’t think that’s possible to accept any more,” he said. “The fact of the matter is that we’re seeing, intentionally or not, companies doing things that circumvent privacy choice in a way that suggests they need to have more of a spotlight put on them, possibly by regulators.” ®
The hack of a commercially available insulin pump that diabetics can control wirelessly has attracted the attention of US lawmakers who oversee the safety of the nation’s airwaves.
In a letter drafted earlier this week, US Representatives Anna Eshoo and Edward Markey asked members of the Government Accountability Office to ensure that wireless-enabled medical devices “will not cause harmful interference to other equipment” and are “safe, reliable, and secure.”
The letter comes two weeks after a researcher demonstrated he could remotely tamper with the insulin dosages administered by the machine he relies on to treat his diabetes. The model uses no means of authentication, making it easy for unauthorized parties to connect to it and increase, decrease, or stop the flow of the hormone.
The demonstration at this year’s Black Hat security conference in Las Vegas was the latest to show the vulnerability of a remotely controlled medical device. Pacemakers and other implanted heart devices were shown to be susceptible to serious hack attacks in research released in 2008.
Jerome “Jay” Radcliffe, the researcher at this year’s Black Hat who demonstrated the attack, has refused to identify the manufacturer of the vulnerable insulin pump. A representative of Medtronic, one of several companies that make such devices, has been quoted as saying: “To our knowledge, there has never been a single reported incident outside of controlled laboratory experiments in more than 30 years of device telemetry use, which includes millions of devices worldwide.” ®
The Identity and Passport Service (IPS) is to introduce a new online passport application service in early 2012 in an effort to improve its interactions with customers.
In its business plan for 2011-12 (28-page PDF/2.2MB), the IPS says that it will replace its current PASS passport application system with one that will allow customers to apply and pay for their passport online anywhere in the world. For the first time people will also be able to check the status of their application.
“The online application channel will be of particular benefit to customers living overseas, who from 2012 will apply directly to IPS, rather than via the Foreign and Commonwealth Office, for their passport,” the document says.
The IPS will decide the future of the civil registration digitisation and indexing project this year. So far it has digitised about 50 per cent of its birth, death, adoption and marriage records, and it hopes to digitise the remaining records and place its indexes online by the end of the year.
The service will also focus on replacing or extending a number of legacy systems, and upgrade its main passport database “to ensure it remains as secure as possible”. The business plan says these changes will provide the foundation for a wider modernisation of the organisation. As a result of the National Identity Service being scrapped last year, the IPS will look at new technology to replace ageing systems, as well as hosting for its civil registration systems.
The document also reveals plans to share more services in 2011-12, most likely with the Home Office, with which the IPS already shares HR, marketing and some categories of procurement where possible. This will include an increase in the number of shared corporate functions to include finance and the remaining procurement categories.
Guardian Government Computing is a business division of Guardian Professional, and covers the latest news and analysis of public sector technology. For updates on public sector IT, join the Government Computing Network here.
As fighting rages around Colonel Gaddafi’s compound in Tripoli, hackers have taken the fight online to the country’s domain name registry nic.ly.
The site’s homepage now hosts an image of the rebel flag and the message “bye bye Gaddafi”, as well as the date 17 February, the day Libyan protestors started demonstrations and were shot at by security forces, computer security firm Sophos reported.
The hackers’ flipped bird (click to enlarge)
Heavy fighting is being reported in the streets of Tripoli today after rebels seized large parts of the city on Sunday. Gaddafi’s whereabouts remain unknown, but it has been widely reported that the rebels claim to have captured his son Saif al-Islam.
Today’s fighting has followed a sustained push by rebels to topple the Gaddafi regime. Protests in early February in Benghazi turned violent when security forces opened fire on the protestors, leading to the first military action at the end of the month when Anti-Libyan government militias took control of Misurata.
In March, the Libyan National Council declared itself the sole representative for the country and began gaining recognition from Western nations, as well as Middle Eastern states including Qatar. By mid-March, NATO began its military intervention with airstrikes in the country.
Over the summer, the fighting continued as rebels slowly made their way towards Tripoli while the International Criminal Court in The Hague issued arrest warrants for Gaddafi, his son Saif al-Islam and his head of intelligence.
Finally, on Sunday, rebels entered the city, facing little real resistance according to reports on the ground. This was despite calls from Gaddafi on national television for supporters to take the streets and fight for him.
Hacking, social networks and the internet have become a growing social and political tool in the Arab world, galvanising protests and helping protestors to make wide-reaching statements. At the beginning of the war, Gaddafi attempted to strangle rebel communication by cutting Libyans off from the internet, but they are back online today after 150 days.
Messages such as “Libya is free” and “The tyranny is over” have been appearing on Twitter and Facebook in the last hour. ®
For proof, check out the fourth snap in 
