STE WILLIAMS

Win Spectre Laptop with HP and The Register

The UK’s top anti-fraud agency has admitted it sent tens of thousands of sensitive documents from an investigation into arms giant BAE Systems to the wrong person.

The probe into multinational defence corporation BAE Systems ended after the aerospace firm paid a whopping $400m fine to the US relating to a violation of US rules across a number of countries (and £30m to the SFO over accounting issues in a Tanzanian radar deal) back in 2010.

After it closed the case, the Serious Fraud Office was then supposed to return 32,000 pages of documents and 81 audio tapes, as well as other assorted bits of electronic storage media, to 59 different people who supplied them as evidence during the investigation.

But the SFO mistakenly sent the huge cache to one unnamed individual – and three per cent of the data remains missing.

The SFO insisted none of the data related to national security and said it was making every effort to recover the missing information.

A Serious Fraud Office spokeswoman said: “The SFO is dealing with an incident of accidental data loss.

“The data concerned was obtained by the SFO in the course of its closed investigation into BAE Systems. The SFO has a duty to return material to those who supplied it, upon request, after the close of an investigation.

“In this instance the party requesting the return was sent additional material which had in fact been obtained from other sources.”

The embarrassing data fumble took place between May and October 2012. It was only flagged up in May 2013 and the SFO rolled into action in June.

The affected parties were notified and an investigation has now begun. Alan Woods, a former senior civil servant, is leading the probe, which was was ordered by the SFO’s director.

Emily Thornberry, Labour’s shadow attorney general, said: “This is government incompetence of the first magnitude. The SFO has stumbled from shambles to shambles, with the attorney general completely failing to get a grip. Incompetence like this threatens to have an impact on the reputation of the UK and its relations overseas.”

She added: “People will be wondering how many other skeletons there are in the SFO cupboard that the attorney general is aware of but is declining to make public. The government needs to get a grip, get to the bottom of this mess and come clean about exactly what went wrong and how.”

Do you know who received these leaked documents from the SFO? Get in touch and tell us in confidence. ®

Win Spectre Laptop with HP and The Register

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/09/serious_fraud_office_makes_seriously_stupid_mistake/

Win Spectre Laptop with HP and The Register

Lavabit, the security-conscious email provider that was the preferred email service of NSA leaker Edward Snowden, has closed its doors, citing US government interference.

“I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit,” founder Ladar Levinson said in a statement posted to the company’s homepage on Thursday. “After significant soul searching, I have decided to suspend operations.”

Prior to its closure, Lavabit was a dedicated email service that offered subscribers “the freedom of running your own email server – without the hassle or expense.”

In addition to a variety of flexible configuration options, the service boasted that all email stored on its servers was encrypted using asymmetric elliptical curve cryptography, in such a way that it was impossible to discern the contents of any email without knowing the user’s password.

As a whitepaper posted to the company’s website (now removed, but available from the Internet Archive) observed:

Our goal was to make invading a user’s privacy difficult, by protecting messages at their most vulnerable point. That doesn’t mean a dedicated attacker, like the United States government, couldn’t intercept the message in transit or once it reaches your computer.

Our hope is the difficulty associated with those strategies means they will only be used by governments on terrorists and scammers, not on honest citizens.

It now seems, however, that Levinson’s hope was just wishful thinking. Without going into details, his statement on Thursday made plain that pressure from the US government was behind his decision to shutter Lavabit.

“I feel you deserve to know what’s going on – the first amendment is supposed to guarantee me the freedom to speak out in situations like this,” Levinson wrote. “Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.”

Under current US law, requests for information by US intelligence agencies often carry a gag order that forbids the party receiving the request from disclosing what information was requested, or even that a request was made at all.

The gag orders can be challenged by appealing to the shadowy Foreign Intelligence Surveillance Court (FISC), which operates in complete secrecy, but such appeals are seldom granted.

Not even Google or Microsoft – each of which, it must be said, has far deeper pockets than Lavabit – has managed to challenge the surveillance orders. Both companies were named by Snowden as having turned over user data to government spies under the secretive PRISM program, but the FISC won’t allow them to reveal to the public what they may or may not have actually disclosed.

Little wonder, then, that Levinson’s “appropriate requests” have similarly been denied.

The Lavabit founder says he next plans to challenge the government’s ruling in the US Fourth Circuit Court of Appeals. A favorable ruling, he says, would allow him to “resurrect Lavabit as an American company” – though he doesn’t appear to hold out much hope.

“This experience,” Levinson wrote, “has taught me one very important lesson: without congressional action or a strong judicial precedent, I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States.” ®

Win Spectre Laptop with HP and The Register

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/08/lavabit_shuts_down/

Win Spectre Laptop with HP and The Register

The NSA has announced its brainwave to end further leaks about its secret operations by disaffected employees: it will simply sack 90 per cent of all its sysadmins.

The US surveillance agency’s spyboss General Keith Alexander told a computer security conference in New York that automating much of his organisation’s work – such as snooping on anyone with an internet connection on the planet – would make it more secure.

The inner workings of the NSA’s massive PRISM and XKEYSCORE programmes were exposed to the world by Edward Snowden, an ex-CIA techie and NSA contractor who had access to highly classified material, along with about 1,000 other sysadmins.

Gen Alexander said: “What we’re in the process of doing – not fast enough – is reducing our system administrators by about 90 percent.”

Until now, the chief spook continued, the NSA has “put people in the loop of transferring data, securing networks and doing things that machines are probably better at doing”.

Replacing these leaky humans with computers would make the spooks’ work “more defensible and more secure”. However, the general said his agency had been planning these changes for some time. He did not refer to Snowden by name while announcing his layoffs.

The head spook has previously discussed security measures employed by the agency, such as the requiring the presence of two people before certain sensitive data can be accessed.

“At the end of the day it’s about people and trust,” Gen Alexander added. “No one [at the NSA] has wilfully or knowingly disobeyed the law or tried to invade your civil liberties or privacies. There were no mistakes like that at all.” ®

Win Spectre Laptop with HP and The Register

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/09/snowden_nsa_to_sack_90_per_cent_sysadmins_keith_alexander/

Win Spectre Laptop with HP and The Register

Silent Circle, the company founded by former PGP wonks and Navy Seals and which offers very, very, secure communications, has decided to shutter its Silent Mail email service.

The decision, announced in a blog post, comes on the same day that Lavabit, another secure email service, decided to close because it cannot guarantee users’ security. Lavabit was PRISM whistleblower Edward Snowden’s email service of choice.

Silent Circle’s blog post says its mail service has “always been something of a quandry to us” because “There are far too many leaks of information and metadata intrinsically in the email protocols themselves. Email as we know it with SMTP, POP3, and IMAP cannot be secure.”

The post mentions Lavabit and its unwillingness to “be complicit in crimes against the American people” and says Silent Circle “see the writing the wall” and has therefore “decided that it is best for us to shut down Silent Mail now.”

No “subpoenas, warrants, security letters, or anything else by any government” have arrived at the company’s offices, and by acting now the post says Silent Circle and users can avoid dealing with them in future. Staying warrant-free presumably means Silent Circle hopes its customers will be spared future investigations, with the post saying the company had considered keeping the service alive for current users or phasing it out. Now it has decided “that if we dithered, it could be more inconvenient.”

Silent Circle says it is still working on “innovative ways to do truly secure communications”. With both it and Lavabit walking away from efforts at secure email, those efforts appear to be more necessary than ever. ®

Win Spectre Laptop with HP and The Register

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/09/silent_circle_shutters_email_service/

Win Spectre Laptop with HP and The Register

The Mozilla Foundation has unveiled a new Identity Bridge that links its Persona single sign-on technology with Gmail, allowing all Gmail users to log in to Persona-enabled sites without entering a username or password.

Persona works by having users register their email addresses with a server called a Persona Identity Provider (IdP), which will then authenticate their identities for other websites using a system based on public-key cryptography, rather than traditional usernames and passwords.

Because most internet users haven’t registered with a Persona IdP, however – and many don’t even know such things exist – Mozilla has developed Identity Bridging as a stopgap measure until Persona is more widely supported.

A Persona Identity Bridge authenticates users using either the OpenID or OAuth protocols – most major email providers offer one or the other – and then translates the results into the Persona protocol for use with Persona-enabled websites.

Mozilla introduced its Identity Bridging system with Persona Beta 2 in April, which included an Identity Bridge for Yahoo! Mail. With the addition of the Identity Bridge for Gmail, Mozilla says some 700 million email users now have built-in support for Persona – they don’t have to sign up for any new services or create any new accounts.

They don’t need to send any additional information to Google or Yahoo!, either. As Mozilla’s Dan Callahan wrote in a blog post on Thursday, “Persona remains committed to privacy: Gmail users can sign into sites with Persona, but Google can’t track which sites they sign into.”

Mozilla has previously said that it is working to bring Persona support to more large email providers, and that its eventual goal is to provide support for “over half of the worldwide internet population.” Between the Gmail and Yahoo! Identity Bridges, Callahan says roughly 60 to 80 per cent of North American web users are already covered.

Note, however, that in El Reg‘s tests, the Gmail Identity Bridge only worked with addresses from the actual Gmail domain. Addresses from private domains that offer Gmail via Google Apps confused it.

If you have a Gmail address, Mozilla suggests you try out Persona by signing in to any Persona-enabled website, such as Mozilla’s Webmaker. Website owners who are interested in adding Persona to their own sites can find more information here. ®

Win Spectre Laptop with HP and The Register

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/09/persona_identity_bridge_for_gmail/

Win Spectre Laptop with HP and The Register

Lavabit, the security-conscious email provider that was the preferred email service of NSA leaker Edward Snowden, has closed its doors, citing US government interference.

“I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit,” founder Ladar Levinson said in a statement posted to the company’s homepage on Thursday. “After significant soul searching, I have decided to suspend operations.”

Prior to its closure, Lavabit was a dedicated email service that offered subscribers “the freedom of running your own email server – without the hassle or expense.”

In addition to a variety of flexible configuration options, the service boasted that all email stored on its servers was encrypted using asymmetric elliptical curve cryptography, in such a way that it was impossible to discern the contents of any email without knowing the user’s password.

As a whitepaper posted to the company’s website (now removed, but available from the Internet Archive) observed:

Our goal was to make invading a user’s privacy difficult, by protecting messages at their most vulnerable point. That doesn’t mean a dedicated attacker, like the United States government, couldn’t intercept the message in transit or once it reaches your computer.

Our hope is the difficulty associated with those strategies means they will only be used by governments on terrorists and scammers, not on honest citizens.

It now seems, however, that Levinson’s hope was just wishful thinking. Without going into details, his statement on Thursday made plain that pressure from the US government was behind his decision to shutter Lavabit.

“I feel you deserve to know what’s going on – the first amendment is supposed to guarantee me the freedom to speak out in situations like this,” Levinson wrote. “Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.”

Under current US law, requests for information by US intelligence agencies often carry a gag order that forbids the party receiving the request from disclosing what information was requested, or even that a request was made at all.

The gag orders can be challenged by appealing to the shadowy Foreign Intelligence Surveillance Court (FISC), which operates in complete secrecy, but such appeals are seldom granted.

Not even Google or Microsoft – each of which, it must be said, has far deeper pockets than Lavabit – has managed to challenge the surveillance orders. Both companies were named by Snowden as having turned over user data to government spies under the secretive PRISM program, but the FISC won’t allow them to reveal to the public what they may or may not have actually disclosed.

Little wonder, then, that Levinson’s “appropriate requests” have similarly been denied.

The Lavabit founder says he next plans to challenge the government’s ruling in the US Fourth Circuit Court of Appeals. A favorable ruling, he says, would allow him to “resurrect Lavabit as an American company” – though he doesn’t appear to hold out much hope.

“This experience,” Levinson wrote, “has taught me one very important lesson: without congressional action or a strong judicial precedent, I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States.” ®

Win Spectre Laptop with HP and The Register

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/08/lavabit_shuts_down/

Win Spectre Laptop with HP and The Register

When Tor admitted early this week that some nodes on the network had suddenly and inexplicably gone dark, thanks in part to a malware attack, theories abounded as to just what was going on and why.

That the FBI arrested a man suspected of using Tor to host child pornography distribution services further fuelled speculation that perhaps US authorities had launched an attack on Tor.

Some infosec specialists quickly analysed the malware and suggested it was controlled by an entity using IP addresses associated with defence contractor Science Applications International Corporation (SAIC) and/or the NSA. One and one were promptly put together to suggest three elements explaining the Tor takedown:

• The arrest of porn suspect Eric Eoin Marques was but one action in a wider attack on Tor
• The US government, probably the NSA, created weaponised malware to take down Tor
• SAIC and/or the NSA were the source and/or controller of that malware

A couple of days down the track, that theory is looking rocky, as two of the organisations that helped the malware theory to spread have issued a joint post saying their initial analysis of the malware was wrong.

Cryptocloud and Baneki Privacy Labs write that their initial analysis of the IP addresses used by the “torsploit” probably don’t have anything to do with SAIC. Cryptocloud’s also less-than-certain it’s earlier assertion that NSA IP addresses were involved is right.

The post we’ve linked to above is long, rambling and suggests that even if it is not possible to find an IP address tied directly to the NSA in the Torsploit code, the incident looks an awful lot like the kind of thing the NSA is known to be capable of and interested in.

Edward Snowden’s recent revelations make it plain that the NSA is peering into a great may dark places. Tor’s status as a likely gateway to much of the “dark web” means attempts to gain more intelligence on just what lies within the onion router seem well within the bounds of possibility.

For now, however, the dots aren’t joined. Nor, for what it is worth, is a decent explanation of where Torsploit came from or just how much damage it has done. ®

Win Spectre Laptop with HP and The Register

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/08/infosec_analysts_back_away_feds_attacked_tor_theory/

Win Spectre Laptop with HP and The Register

Multibillion-dollar energy giants, rail companies and other corporations should take out insurance policies for damage caused by hackers, a White House official has suggested.

The government apparatchik is working on a so-called Cybersecurity Framework of best practices to safeguard America’s critical infrastructure – think power plants, water supplies and so on. The insurance policy plan was mooted among other suggestions on how best to defend important firms from electronic attacks.

The framework will be finalised by February 2014; adhering to its standards is voluntary, although it’s likely companies running vital services will be the first to sign up. And, obviously, it needs private insurance giants in the mix to offer indemnification against hackers.

Writing on the White House blog about the framework, Michael Daniel, special assistant to President Obama and a cyber-security coordinator, said: “The systems that run our nation’s critical infrastructure such as the electric grid, our drinking water, our trains, and other transportation are increasingly networked. As with any networked system, these systems are potentially vulnerable to a wide range of threats, and protecting this critical infrastructure from cyber threats is among our highest security priorities.”

The agencies involved in the discussions, which include the departments of Homeland Security, Commerce, and Treasury, were keen to get the insurance industry involved in the introduction of the framework, as they will be vital in soaking up losses caused by computer network breaches – the sorts of attacks that allegedly cost the UK up to £27bn a year and the US between $119bn and $188bn annually.

Daniel continued: “Agencies suggested that the insurance industry be engaged when developing the standards, procedures, and other measures that comprise the framework and the [voluntary] program. The goal of this collaboration would be to build underwriting practices that promote the adoption of cyber risk-reducing measures and risk-based pricing and foster a competitive cyber insurance market.”

Firms will not be forced to sign up to the new initiative, but the White House hopes by offering insurance and grants to industry, that companies will see the benefits of joining in with the scheme. ®

Win Spectre Laptop with HP and The Register

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/08/obama_sets_out_plans_to_insure_firms_against_hack_attacks/

Win Spectre Laptop with HP and The Register

Poll Web browsers Google Chrome and Mozilla Firefox can reveal the logged-in user’s saved website passwords in a few clicks. There now rages a debate over whether this is an alarming security flaw or a common feature.

Picture this: you’ve been asked to fix a friend’s PC because it’s stopped printing pages properly, or you saunter past an office colleague’s desk and notice her computer has been left unlocked.

If the victim, shall we say, is using Chrome, surf over to chrome://settings/passwords, click on a starred-out saved website password and click on “Show”; rinse and repeat down the list. Voila, you can see his or her passwords in plain text.

Blighty-based programmer Elliott Kember raised the issue this week on his blog and made a persuasive argument that it is a “silly feature” that needs addressing:

In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It’s the mass market – the users. The overwhelming majority. They don’t know [Chrome] works like this. They don’t expect it to be this easy to see their passwords. Every day, millions of normal, every-day users are saving their passwords in Chrome. This is not OK.

Today, go up to somebody non-technical. Ask to borrow their computer. Visit chrome://settings/passwords and click “show” on a few of the rows. See what they have to say.

Kember wants to Google’s browser at least ask users for a password before displaying the credentials in plain text, or warn that they can be accessed in full with a few clicks.

“At this stage, anything would be nice. They’re not acknowledging the fact that millions and millions of Chrome users don’t understand how this works,” he told The Reg. “I’d like to never ever see passwords in plain text without authenticating myself first.”

Chrome’s team lead Justin Schuh responded by arguing that if a miscreant has physical access to the computer then it’s game over anyway, in terms of protecting the user’s system. He added:

I appreciate how this appears to a novice, but we’ve literally spent years evaluating it and have quite a bit of data to inform our position. And while you’re certainly well intentioned, what you’re proposing is that that we make users less safe than they are today by providing them a false sense of security and encouraging dangerous behaviour. That’s just not how we approach security on Chrome.

Some will say the users need some top tips on securing their machines – such as not leaving it unlocked or in the case of a shared computer, not saving passwords. However, worldwide web granddaddy Tim Berners-Lee said the Chrome team’s response was “disappointing” in a tweet:

How to get all you big sister’s passwords http://t.co/CpytKWH9aT and a disappointing reply from Chrome team.

— Tim Berners-Lee (@timberners_lee) August 6, 2013

Going back to our earlier scenarios, if the user prefers Firefox, then open Preferences, hit the “Saved passwords” button in the security tab and then press “Show passwords”. But bear in mind that a master password can be set to protect credentials stored in Mozilla’s browser. The same goes for Opera, which also allows a master password to be set to encrypt the data on disk.

Internet Explorer’s saved passwords can be harvested using nimble Registry skills or a suitable third-party tool. And someone’s written cross-browser JavaScript to extract saved passwords from an open page.

So now we turn the debate over to you: in the style of shag, marry or kill, select whether you shrugged, felt wary or had the sudden desire to kill over this issue:

And don’t forget to comment, of course: what else can mitigate the accidental disclosure of one’s privates to a nosy friend? ®

Win Spectre Laptop with HP and The Register

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/08/browser_password_poll/

Win Spectre Laptop with HP and The Register

Security flaws in a range of HP printers create a way for hackers to lift administrator’s passwords and other potentially sensitive information from vulnerable devices, infosec experts have warned.

HP has released patches for the affected LaserJet Pro printers to defend against the vulnerability (CVE-2013-4807), which was discovered by Micha Sajdak of Securitum.pl. Sajdak discovered it was possible to extract plaintext versions of users’ passwords via hidden URLs hardcoded into the printers’ firmware. A hex representation of the admin password is stored in a plaintext URL, though it looks encrypted to a casual observer.

Sajdak also discovered Wi-Fi-enabled printers leaked Wi-Fi settings and Wi-Fi Protected Setup PIN codes, as an advisory from the Polish security researcher explains.

HP has released firmware updates for the following affected printers:

• HP LaserJet Pro P1102w,
• HP LaserJet Pro P1606dn,
• HP LaserJet Pro M1212nf MFP,
• HP LaserJet Pro M1213nf MFP,
• HP LaserJet Pro M1214nfh MFP,
• HP LaserJet Pro M1216nfh MFP,
• HP LaserJet Pro M1217nfw MFP,
• HP LaserJet Pro M1218nfs MFP and
• HP LaserJet Pro CP1025nw.

HP’s advisory is here.

Consumers aren’t very good at patching their computers, much less their printers, which rarely need security updates.

“The bad news is that many printer owners probably aren’t aware that the security issue exists, or simply won’t bother to apply the firmware update,” security watcher Graham Cluley notes. ®

Win Spectre Laptop with HP and The Register

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/08/hp_plug_password_leaking_printer_vuln/