STE WILLIAMS

Did a bunch of bankers fax a stranger’s sensitive privates to YOU?

Win Spectre Laptop with HP and The Register

The Bank of Scotland has been hit by a £75,000 fine over a snafu that led to it repeatedly faxing customers’ account details to the wrong people.

Sensitive information included payslips, bank statements, account details and mortgage applications, along with customers’ names, addresses and contact details. The information was faxed to wrong numbers in a series of incidents over a three-year period starting in February 2009.


One third-party organisation reported receiving 21 documents in error over the three-year period, while a member of the public received a further 10 misdirected faxes. Both parties had fax numbers that differed by only one digit from the intended recipient, the fax machine of an internal Bank of Scotland department that routinely uploads documents onto the bank’s system.

Even after repeated complaints to the bank itself, the errors continued – eventually prompting the fed-up recipients to complain to data privacy watchdogs at the Information Commissioner’s Office (ICO).

The mistakes continued even during the ICO’s investigation, which resulted in a sizeable fine against the bank (PDF), which is part of the Lloyds Banking Group.

“The Bank of Scotland has continually failed to address the problems raised over its insecure use of fax machines,” said Stephen Eckersley, head of enforcement at the ICO, in a statement. “To send a person’s financial records to the wrong fax number once is careless. To do so continually over a three-year period, despite being aware of the problem, is unforgivable and in clear breach of the Data Protection Act.

“Let us not forget that this information would have been all a criminal would ever need to carry out identity fraud,” he added. ®

Win Spectre Laptop with HP and The Register

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/06/bank_of_scotland_fax_blunder_fine/

Windows Phones BLAB passwords to hackers, thanks to weak crypto

Win Spectre Laptop with HP and The Register

Microsoft has warned IT departments to batten down their Wi-Fi networks following the discovery of a security vulnerability in Windows Phones that leaks users’ passwords.

Miscreants who set up rogue hotspots can grab from devices employees’ encrypted domain credentials, needed to authenticate with corporate systems and access network resources. But the algorithm encrypting this sensitive data is cryptographically weak, allowing hackers to recover the login details and use them to masquerade as staffers.


“The attacker could take any action that the user could take on that network resource,” Microsoft warned.

The software giant has urged IT bosses to distribute a special root certificate for Windows Phone 8 and 7.8 devices accessing their networks; that certificate allows the handsets to confirm that any corporate wireless access points they’re connecting to are genuine before sending over the sensitive data.

Microsoft won’t issue a security update to fix the vulnerability, though, it said.

The certificate advisory follows the disclosure of a flaw in the Protected Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol (version 2) used in Windows Phones for WPA2 authentication.

Explaining how Windows 8 phones can be immunised against the vuln, the software giant said the devices “can be configured to validate a network access point to help make sure the network is your company’s network before starting an authentication process. This can be done by validating a certificate that’s on your company’s server. Only after validating the certificate is username and password information sent to the authentication server, so the phone can connect to the Wi-Fi network.”

Instructions on how to distribute the certificate, and why it’s important, are here. ®

Win Spectre Laptop with HP and The Register

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/06/microsoft_win_phone_wifi_vuln/

Windows Phones BLAB passwords to hackers, thanks to weak crypto

Win Spectre Laptop with HP and The Register

Microsoft has warned IT departments to batten down their Wi-Fi networks following the discovery of a security vulnerability in Windows Phones that leaks users’ passwords.

Miscreants who set up rogue hotspots can grab from devices employees’ encrypted domain credentials, needed to authenticate with corporate systems and access network resources. But the algorithm encrypting this sensitive data is cryptographically weak, allowing hackers to recover the login details and use them to masquerade as staffers.


“The attacker could take any action that the user could take on that network resource,” Microsoft warned.

The software giant has urged IT bosses to distribute a special root certificate for Windows Phone 8 and 7.8 devices accessing their networks; that certificate allows the handsets to confirm that any corporate wireless access points they’re connecting to are genuine before sending over the sensitive data.

Microsoft won’t issue a security update to fix the vulnerability, though, it said.

The certificate advisory follows the disclosure of a flaw in the Protected Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol (version 2) used in Windows Phones for WPA2 authentication.

Explaining how Windows 8 phones can be immunised against the vuln, the software giant said the devices “can be configured to validate a network access point to help make sure the network is your company’s network before starting an authentication process. This can be done by validating a certificate that’s on your company’s server. Only after validating the certificate is username and password information sent to the authentication server, so the phone can connect to the Wi-Fi network.”

Instructions on how to distribute the certificate, and why it’s important, are here. ®

Win Spectre Laptop with HP and The Register

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/06/microsoft_win_phone_wifi_vuln/

Windows Phones BLAB passwords to hackers, thanks to weak crypto

Win Spectre Laptop with HP and The Register

Microsoft has warned IT departments to batten down their Wi-Fi networks following the discovery of a security vulnerability in Windows Phones that leaks users’ passwords.

Miscreants who set up rogue hotspots can grab from devices employees’ encrypted domain credentials, needed to authenticate with corporate systems and access network resources. But the algorithm encrypting this sensitive data is cryptographically weak, allowing hackers to recover the login details and use them to masquerade as staffers.


“The attacker could take any action that the user could take on that network resource,” Microsoft warned.

The software giant has urged IT bosses to distribute a special root certificate for Windows Phone 8 and 7.8 devices accessing their networks; that certificate allows the handsets to confirm that any corporate wireless access points they’re connecting to are genuine before sending over the sensitive data.

Microsoft won’t issue a security update to fix the vulnerability, though, it said.

The certificate advisory follows the disclosure of a flaw in the Protected Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol (version 2) used in Windows Phones for WPA2 authentication.

Explaining how Windows 8 phones can be immunised against the vuln, the software giant said the devices “can be configured to validate a network access point to help make sure the network is your company’s network before starting an authentication process. This can be done by validating a certificate that’s on your company’s server. Only after validating the certificate is username and password information sent to the authentication server, so the phone can connect to the Wi-Fi network.”

Instructions on how to distribute the certificate, and why it’s important, are here. ®

Win Spectre Laptop with HP and The Register

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/06/microsoft_win_phone_wifi_vuln/

Windows Phones BLAB passwords to hackers, thanks to weak crypto

Win Spectre Laptop with HP and The Register

Microsoft has warned IT departments to batten down their Wi-Fi networks following the discovery of a security vulnerability in Windows Phones that leaks users’ passwords.

Miscreants who set up rogue hotspots can grab from devices employees’ encrypted domain credentials, needed to authenticate with corporate systems and access network resources. But the algorithm encrypting this sensitive data is cryptographically weak, allowing hackers to recover the login details and use them to masquerade as staffers.


“The attacker could take any action that the user could take on that network resource,” Microsoft warned.

The software giant has urged IT bosses to distribute a special root certificate for Windows Phone 8 and 7.8 devices accessing their networks; that certificate allows the handsets to confirm that any corporate wireless access points they’re connecting to are genuine before sending over the sensitive data.

Microsoft won’t issue a security update to fix the vulnerability, though, it said.

The certificate advisory follows the disclosure of a flaw in the Protected Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol (version 2) used in Windows Phones for WPA2 authentication.

Explaining how Windows 8 phones can be immunised against the vuln, the software giant said the devices “can be configured to validate a network access point to help make sure the network is your company’s network before starting an authentication process. This can be done by validating a certificate that’s on your company’s server. Only after validating the certificate is username and password information sent to the authentication server, so the phone can connect to the Wi-Fi network.”

Instructions on how to distribute the certificate, and why it’s important, are here. ®

Win Spectre Laptop with HP and The Register

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/06/microsoft_win_phone_wifi_vuln/

Windows Phones BLAB passwords to hackers, thanks to weak crypto

Win Spectre Laptop with HP and The Register

Microsoft has warned IT departments to batten down their Wi-Fi networks following the discovery of a security vulnerability in Windows Phones that leaks users’ passwords.

Miscreants who set up rogue hotspots can grab from devices employees’ encrypted domain credentials, needed to authenticate with corporate systems and access network resources. But the algorithm encrypting this sensitive data is cryptographically weak, allowing hackers to recover the login details and use them to masquerade as staffers.


“The attacker could take any action that the user could take on that network resource,” Microsoft warned.

The software giant has urged IT bosses to distribute a special root certificate for Windows Phone 8 and 7.8 devices accessing their networks; that certificate allows the handsets to confirm that any corporate wireless access points they’re connecting to are genuine before sending over the sensitive data.

Microsoft won’t issue a security update to fix the vulnerability, though, it said.

The certificate advisory follows the disclosure of a flaw in the Protected Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol (version 2) used in Windows Phones for WPA2 authentication.

Explaining how Windows 8 phones can be immunised against the vuln, the software giant said the devices “can be configured to validate a network access point to help make sure the network is your company’s network before starting an authentication process. This can be done by validating a certificate that’s on your company’s server. Only after validating the certificate is username and password information sent to the authentication server, so the phone can connect to the Wi-Fi network.”

Instructions on how to distribute the certificate, and why it’s important, are here. ®

Win Spectre Laptop with HP and The Register

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/06/microsoft_win_phone_wifi_vuln/

Tor fingers Firefox flaw for FAIL but FBI’s also in the frame

Win Spectre Laptop with HP and The Register

Tor has confirmed the existence of malware that has taken down some of its hidden nodes and says flaws in Firefox are the source of the problem.

The network anonymising service yesterday noted the disappearance of some nodes on its network. The outfit hasn’t offered any more insight into what’s down, or exactly what brought anything that is down down.


But it has issued a ”critical security announcement saying Tor Browser Bundle versions based on Firefox 17 ESR are vulnerable to “arbitrary code execution” that means “an attacker could in principle take over the victim’s computer.”

The news gets worse, as Tor also says:

“However, the observed version of the attack appears to collect the hostname and MAC address of the victim computer, send that to a remote webserver over a non-Tor connection, and then crash or exit. The attack appears to have been injected into (or by) various Tor hidden services, and it’s reasonable to conclude that the attacker now has a list of vulnerable Tor users who visited those hidden services.”

That last sentence has tongues wagging, because rumblings about inaccessible Tor nodes started to appear not long after the FBI cuffed a man suspected of using Tor hidden services to distribute child pornography.

There’s no clear link between the two incidents, but plenty of folk are doing so and imagining weaponised malware that targets Tor users, seeks out hidden services, tries to crash their web servers and compiles a list of TOr users. Reverse engineer and secruity researcher Vlad Tsyrklevich has said as much in this analysis, while others have traced the malware back to a defence contractor.

Avoiding the flaw is easy. Firefox 17.0.7 ESR addressed the bug. Firefox is now on release 22, so if you have upgraded, you’re safe. Tor Browser bundles 2.3.25-10, 2.4.15-alpha-1, 2.4.15-beta-1 and 3.0alpha2 all offer a fix. ®

Win Spectre Laptop with HP and The Register

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/06/tor_fingers_firefox_for_fail/

They don’t recognise us as HUMAN: Disability groups want CAPTCHAs killed

Win Spectre Laptop with HP and The Register

The Australian Communications Consumer Action Network (ACCAN), Blind Citizens Australia, Media Access Australia, Able Australia and the Australian Deafblind Council have banded together to campaign for the demise of the CAPTCHA.

CAPTCHAs, or Completely Automated Public Turing test to tell Computers and Humans Apart, ask users to prove they are human by entering text that has deliberately been obscured. The resulting squiggles are often frustrating for able-bodied folks, never mind those with less-than-stellar hearing or sight.

So frustrating, in fact, that ACCAN CEO Teresa Corbin thinks “CAPTCHAs fundamentally fail to properly recognise people with disability as human,” which obviously isn’t on.

Kill Captchas

After some prodding from Vulture South on why the campaign does not offer guidance to developers on how best to provide strong verification without hampering accessibility (we dislike campaigns that don’t offer solutions), ACANN suggested its preferred alternative is a “did you really just register for this?” email bearing an activation link.

Interestingly, that method is not one mentioned by the W3C’s Inaccessibility of CAPTCHA: Alternatives to Visual Turing Tests on the Web document from 2005. But an ACANN spokesperson said such emails are “a very common and accessible alternative”.

Developers in the audience can feel free to argue otherwise by making a comment. ®

Win Spectre Laptop with HP and The Register

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/05/disability_groups_want_captchas_rendered_extinct/

Bad timing: New HTML5 trickery lets hackers silently spy on browsers

Cloud storage: Lower cost and increase uptime

New time-measuring features in HTML5 can be exploited by malicious websites to illicitly peek at pages open on a victim’s browser, it is claimed.

Security researchers at Context Information Security have figured out how to precisely observe the speed at which CSS and SVG graphics are drawn on screen to extract sensitive data including browsing history or text from other browser sessions.


Paul Stone, a senior consultant at Context, warned that hackers can use this timing information – which can be accurate to millionths of a second – to read the colour of pixels from web pages that are for the user’s eyes only: this allows miscreants to painfully reconstruct words and numbers on the pages, determine which links have been visited, and so on.

The timing feature was supposed to enable smooth animation in web pages: requestAnimationFrame() can be used to calculate the time taken to redraw part, or all of, an open web page.

By opening a web page in an iframe, applying filters and measuring the exact taken time to render bits of them, it is possible to work out which pixels are set. Ideally, the victim should not be aware of the iframe shenanigans.

The JavaScript-powered attack breaks cross-origin restrictions that ought to prevent this sort of trickery. Practically speaking, these attacks are tough to pull off, but that doesn’t mean browser vendors should ignore the threat, as the Pixel Perfect Timing Attacks with HTML 5 whitepaper by Stone explains:

The new HTML5 requestAnimationFrame API can be used to time browser rendering operations and infer sensitive data based on timing data. Two techniques are demonstrated which use this API to exploit timing attacks against Chrome, Internet Explorer and Firefox in order to infer browsing history and read cross-origin data from other websites. The first technique allows the browser history to be sniffed by detecting redraw events. The second shows how SVG filters can be used to read pixel values from a web page. This allows pixels from cross-origin iFrames to be read using an OCR-style technique to obtain sensitive data from websites.

This paper has demonstrated how a malicious website can use the timing of browser graphics operations to steal sensitive user data. Fortunately for users, timing attacks that are easily demonstrated in a controlled environment can prove tricky to implement reliably in the wild. However, this does not mean that browser vendors should not fix these holes. The basic techniques described in this paper will inevitably be improved upon to increase their speed, reliability and real-world usefulness.

Context has notified Google, Microsoft and Firefox-maker Mozilla about its research. The software giants are reportedly investigating ways in which the timing attacks can be prevented, but there may be a trade off between privacy and browser performance to complicate attempts to resolve the problem.

“Finding and fixing timing attacks is hard,” said Stone. “The asynchronous URL lookups and filter optimisations that make these timing attacks possible were intended to increase browser performance. Fixing them could involve a trade-off between privacy and performance.”

Mozilla, at least, has partially defended users of its Firefox browser against the lines of attack outlined by Stone’s research. “Mozilla has tackled the worst of it in Firefox 22 however there may be some SVG filters that are vulnerable to a lesser degree,” he said.

Website owners can protect themselves from the pixel reading attacks by disallowing framing of their sites. The relevant HTTP header is primarily intended to prevent click-jacking attacks.

And webs surfers can switch to “incognito mode” private browsing, as a workaround.

“Users concerned about these vulnerabilities can mitigate the risks by regularly clearing their browsing history or using private browsing windows to separate their browsing sessions,” Stone advised. “While HTML 5 offers developers a range of new features such as improved animation and graphics support, some of these new capabilities have some unexpected side effects with privacy and security implications.”

Stone delivered his research in a talk at the Black Hat hacking conference in Las Vegas last week. ®

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/05/html5_timing_attacks/

Child porn hidden in legit hacked websites: 100s redirected to sick images

Cloud storage: Lower cost and increase uptime

Innocent companies’ websites are being hacked to serve images of child sex abuse, the Internet Watch Foundation has warned.

The charity said that, in the past six weeks, it has received 227 reports of netizens being directed from completely legal online porno sites to web pages on a second server containing illegal material.


Typically, someone visiting a normal adult porn website is redirected to, say, a file directory listing in a furniture shop’s online home, which has been compromised and filled with images of terrible abuse.

Such trickery – stashing highly illegal content on an innocent organisation’s servers – makes a mockery of the UK government’s attempts to filter out what it determines to be the murkier corners of the internet, and also puts visitors and site owners in legal danger: the defence “but I didn’t know!” is not guaranteed to succeed if the unlucky netizen is subsequently charged with possession and making of indecent images.

“We hadn’t seen significant numbers of hacked websites for around two years, and then suddenly in June we started seeing this happening more and more,” the foundation’s technical researcher Sarah Smith said in a statement.

“It shows how someone, not looking for child sexual abuse images, can stumble across it. The original adult content the internet user is viewing is far removed from anything related to young people or children.”

The charity – which acts as a hotline for reports of online child abuse – described the illegal content as some of worst of its kind, and said people had been very distressed by what they’d seen.

Surfers leafing through legal XXX sites click on an image or video there and be redirected to a folder containing the images on the hacked site, which might be a furniture store or other unrelated business site. Neither the administrators of the adult site nor those of the hacked site would be aware that the link and folder existed, IWF said.

“Our reporters have been extremely diligent in explaining exactly what happened, enabling our analysts to re-trace their steps and take action against the child sexual abuse images,” Smith said.

“Since identifying this trend we’ve been tracking it and feeding into police forces and our sister hotlines abroad.”

The foundation said that in all cases it had been able to get the sick material removed. ®

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/05/iwf_business_sites_hacked_to_host_images/