STE WILLIAMS

Speaking in Tech: Forget Venezuela, Snowden. Go to Anna Chapman’s pad!

SaaS data loss: The problem you didn’t know you had

Podcast

speaking_in_tech Greg Knieriemen podcast enterprise

It’s another episode of El Reg‘s podcast, bringing you news, views, and rumours about enterprise kit, tech execs’ shenanigans, consumer baubles and more…

Hiding out from the NSA this week are all three SIT presenters: Greg Knieriemen, Sarah Vela and Ed Snowden Saipetch.

This week we discuss…

  • Eddie blows his hand off
  • More Edward Snowden news
  • Slow news week: Missing baby mural in Roswell
  • Summer geek movies bomb
  • Tesla makes it to the NASDAQ 100
  • Execs bail on VMware
  • VMware transitioning
  • VMware vs Amazon vs Microsoft
  • Big transitions at Microsoft
  • The “Start Button” and “spacial coherence”
  • Sarah’s VRTX trouble
  • VMworld pool party

Listen with the Reg player below, or download here.

Download Podcast

Podcast Subscriber Links

Subscribe through iTunes

Subscribe through Google

Subscribe through Stitcher

What you need to know about cloud backup

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/10/speaking_in_tech_episode_66/

Snowden, schmoden. Let’s talk about crushing hackers, say US’n’China

SaaS data loss: The problem you didn’t know you had

China and the US were able to set aside their cyber-spying-oneupmanship at a meeting yesterday, with officials from both sides agreeing to improving cooperation in tackling hackers.

Before representatives met to talk about computer security defences, China had made much of whistleblower Edward Snowden’s revelations about the NSA’s PRISM electronic surveillance programme – and how American pots shouldn’t be calling any kettles black, while the US continued to harp on about commercial cyber attacks and theft of blueprints.


But Chinese state news agency Xinhua said despite their differences, the talks had gone well.

“The two sides held candid in-depth discussions on cybersecurity, including the mechanism of a bilateral cyber working group, international cyberspace rules, and measures to boost dialogue and cooperation on cybersecurity,” the agency said.

“Both sides expressed the willingness to improve the mechanism of the cyber working group on the basis of mutual respect and equality so that it can play a positive role in enhancing mutual trust, reducing mutual suspicion, managing disputes and expanding cooperation.”

The US State Department agreed with the Chinese assessment of the meeting, saying that discussions were “constructive”.

“I think we could say both sides made practical proposals to increase our cooperation and build greater understanding and transparency between the two sides. We also raised issues concerning cyber-enabled economic theft,” an official told reporters.

“We expect this meeting will be the start of substantive and a sustained discussions between the United States and China on cyber issues.”

Another official said that the US was focused on “cyber-enabled theft of intellectual property” in the talks and not on the alleged hacking in connection with PRISM into Chinese telcos and the country’s Tsinghua University.

The talks were held just ahead of the fifth China-US Strategic and Economic Dialogue, where Vice Premier Wang Yang and State Councillor Yang Jiechi will meet with Secretary of State John Kerry and Treasury Secretary Jacob Lew to discuss all sorts of political, economic and security topics. ®

What you need to know about cloud backup

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/10/us_china_cybersecurity_talks_result/

Sina’s self-censorship scheme swamped with spam, not rumours

Steps to Take Before Choosing a Business Continuity Partner

It’s become fashionable for the likes of Facebook and Twitter to reveal how often spooks ask them to retrieve data. Chinese micro-blogging giant Sina Weibo has now more or less done likewise and revealed its army of 5,500 community reviewers have been more busy dealing with spam complaints over the past year than politically motivated rumours, according to a new report.

Beijing News (via Global Voices) reported new stats from the firm a year after it introduced a community code of practice (CoP) whereby users are encouraged to report each other if they break the rules by posting spam or pornographic content, or “harmful” rumours.


Each user apparently starts with a credit rating of 80, and if that figure drops to below 60 they will find their account restricted and marked as a “low credit” user. If it’s allowed to slide to zero then the account is permanently deleted and they are prevented from registering another in their own name.

A year after the self-censorship scheme was begun, the CoP Community Centre received a total of over 15 million reports, with 12m of these related to spam, one million to indecent material and two million to rumours.

It is the latter that the Communist Party has been leaning on social media companies in the Middle Kingdom to stamp out as they are believed to disrupt social order – in other words undermine the government’s authority.

It should be remembered that “rumours” are not necessarily untrue, merely that the authorities want to suppress a particular piece of news, like the attempted defection of Chongqing PSB chief Wang Lijun last year.

The stats don’t tell the whole story, however. As TechInAsia points out, many politically motivated rumours are dealt with by another system altogether and accounts which post such sensitive content are at risk from deletion well before their credit runs out.

The relatively low number of rumour-based complaints last year could also either point to greater self-censorship by users or more effective keyword-based blocking on Sina’s part.

In another sign of the ever-tightening controls being placed on Chinese weibo users, the report also claimed that Sina’s team of 5,500 community censors will be expanded to a whopping 100,000. ®

Cloud based data management

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/10/weibo_censors_claims_spam_beats_rumours/

‘Priyanka’ yanks your WhatsApp contact chain on Android mobes

Steps to Take Before Choosing a Business Continuity Partner

A worm spreading through the popular WhatsApp messenging platform across Android devices is likely to cause plenty of confusion, even though it doesn’t cause much harm.

Priyanka changes all contact groups names to Priyanka as well as contact names. The malware makes no use of exploits and vulnerabilities and only spreads manually. Victims have to accept contact file from a friend, named “Priyanka” and install it for anything untoward to occur. Simply ignoring the dodgy contact request prevents any damage.


Despite its less than ninja-level infection tactics, reports of Priyanka infection began cropping up on social media sites over the last few days, alongside more numerous alerts about the issue. The overall volume of related messages on Twitter is dozens rather than hundreds, the hallmark of a relatively isolated outbreak.

Fortunately recovering from infection is a straightforward matter of deleting the dodgy Priyanka contact before clearing your WhatsApp database, Softonic reports. Users will have to go through the setup process again but at the end of this their previous conversations should be restored.

Specialist Android enthusiast site theandroidsoul.com has screenshots of an infected device and advice on how to restore normality in an informative story here.

Priyanka itself is no big deal but history shows that social engineering tricks that first appear as a prank often get abused for more malign purposes later, so caution is advisable. It’s unclear who created the malware but someone with a grudge against an ex called Priyanka is one plausible theory. People genuinely named Priyanka are likely to find it much tougher going making and retaining contacts on WhatsApp for at least the next few days until the minor outbreak dies down. ®

Cloud based data management

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/10/priyanka_whatsapp_worm/

US gov SMASHES UP TELLIES and MICE to halt minor malware outbreak

SaaS data loss: The problem you didn’t know you had

A US Department of Commerce agency has been chastised for spunking $2.7m chasing down a supposed major malware infection that was actually limited to a handful of PCs.

The Economic Development Administration adopted a scorched earth policy – isolating itself from the internet before destroying more than $170,000 worth of equipment including printers, TVs, and even computer mice – in a comically inept attempt to resolve the phantom outbreak.


The physical destruction of equipment only ceased after the department’s disposal budget was exhausted. “The destruction of IT components was clearly unnecessary,” the Office of the Inspector General’s (OIG) auditor said in an official report released last month.

EDA’s CIO concluded that the risk, or potential risk, of extremely persistent malware and nation-state activity (which did not exist) was great enough to necessitate the physical destruction of all of EDA’s IT components.

EDA’s management agreed with this risk assessment and EDA initially destroyed more than $170,000 worth of its IT components, including desktops, printers, TVs, cameras, computer mice, and keyboards. By August 1, 2012, EDA had exhausted funds for this effort and therefore halted the destruction of its remaining IT components, valued at over $3 million.

EDA intended to resume this activity once funds were available. However, the destruction of IT components was clearly unnecessary because only common malware was present on EDA’s IT systems.

The EDA, which promotes economic development in underperforming US regions, went into panic mode after receiving notification of a malware outbreak from the US Department of Homeland Security’s CERT (Computer Emergency Response Team) in December 2011.

The agency hired an outside security contractor, at an eventual cost of $823,000, in late January 2012. After some initial false positives, the contractor decided EDA’s systems were mostly clean. Common-or-garden malware was found on six systems, a problem that could have been repaired by reimaging the affected machines. The unnamed “common malware [was] contained in archived e-mail attachments and temporary Internet browser files”, according to OIG’s report.

Confusion and miscommunication meant that an outbreak reckoned by the Department of Commerce’s computer security response team to be limited to two components was treated as something that had spread to more than half of the EDA’s 250 computers. It was treated as an advanced persistent attack internally by the EDA, despite little evidence to substantiate this belief.

EDA’s CIO, fearing that the agency was under attack from foreign cyber-intelligence, isolated its systems from the net and initiated the policy of physical destruction. Unnecessary destruction of IT equipment alone cost $175,000.

Staff were given temporary laptops requisitioned from the Census Bureau, along with internet access and interim e-mail capability in a programme that eventually cost $1.06 million. Entire mail servers were shut down, quite unnecessarily, because of some relatively innocuous malware on a small number of client PCs.

The EDA also spent $688,000 on contractors to come up with a long-term response to the incident. The whole mess was eventually sorted out within five weeks, but even this process didn’t begin until February 2013 – over a year after the initial incident. In total the agency spunked $2.7 million – more than half its 2012 annual IT budget – in grappling with the problem.

The National Oceanic and Atmospheric Administration received the same notice from the CERT but came up with a far more measured response, isolating and cleaning up the problem by January 2012. In contrast, the EDA was still ineptly grappling with the problem until outside agencies stepped in during February the following year.

Despite the wholesale trashing of perfectly good gear, the EDA is not wholly to blame for the mess. An inexperienced staffer in the CERT initially told the EDA that it was dealing with 146 infected components. This assessment was quickly revised downwards to just two infected items in a follow-up notice issued a day later, but, crucially, the EDA were not told that the initial notice was inaccurate and misleading.

“EDA thought there were 146 infected components [which] influenced everyone’s perception of the incident and contributed to EDA’s unnecessary recovery and remediation activities,” OIG explains. EDA took drastic actions through misplaced fears that the malware infection would spread to other government bureaux.

“Deficiencies in the Department [of Commerce]’s Incident Response Program… significantly contributed to EDA’s inaccurate belief that it experienced a widespread malware infection,” OIG explains. “Consequently, the Department of Commerce Computer Incident Response Team (DOC CIRT) and EDA propagated inaccurate information that went unidentified for months after EDA’s incident.”

The OIG added:

We found that DOC CIRT’s incident handlers did not follow the Department’s incident response procedures, that its handler for EDA’s incident did not have the requisite experience or qualifications, and that DOC CIRT did not adequately coordinate incident response activities.

OIG is clear, however, that the main blame for the whole sorry episode rests with EDA, whose recovery efforts were misdirected and inept. “EDA focused its recovery efforts on replacing its IT infrastructure and redesigning its business applications. EDA should have concentrated its resources on quickly and fully recovering its IT systems (e.g. critical business applications) to ensure its operational capabilities.”

The auditor’s report, Malware Infections on EDA’s Systems Were Overstated and the Disruption of IT Operations Was Unwarranted, can be found here (PDF, 33 pages, fairly large). The report notes that the EDA’s IT infrastructure has been systematically mismanaged and insecure for years, with poor handling of patch management and other routine tasks. Many of these problems date back as far as early 2006. ®

What you need to know about cloud backup

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/10/us_gov_agency_smashed_mice_tvs_malware_oig_eda/

Emergency alert system easily pwnable after epic ZOMBIE attack prank

Agentless Backup is Not a Myth

Hardware powering the US Emergency Alert System can be easily tricked into broadcasting bogus apocalyptic warnings from afar, say experts.

Researchers at computer security biz IOActive reckon they found private encryption keys within firmware updates for the devices; miscreants armed with this information could successfully remotely log into the hardware, installed at television and radio stations around the US, as an administrator and broadcast panic-inducing messages to the masses.


And the discovery comes just months after shortcomings in the Emergency Alert System (EAS) were exploited to beam news of a zombie apocalypse to American TVs: Montana Television Network’s regular programming was interrupted by warnings of the end of the world back in February.

Viewers of KRTC in Great Falls, Montana, were confronted by an on-air audio warning that “bodies of the dead are rising from their graves and attacking the living”. A scrolling text warning at the top of the screen naming various Montana counties as targets for the spoof announcement of doom, which sparked calls to the state’s cops. KRTC promptly disavowed the fake alert and the whole incident thankfully died down before local survivalist types got too excited.

The perpetrators behind the epic undead prank remain unknown. Initial investigations suggested that weak default passwords on emergency alert systems accessible over the internet may have been used to pull off the hack. This remains unconfirmed.

Private SSH keys discovered

But now researchers at IOActive have found that systems used to receive and authenticate emergency alert messages are vulnerable to remote attack. The vulnerability is specific to Linux-powered application servers from two manufacturers, according to the US feds: the Digital Alert Systems DASDEC-I and DASDEC-II gear, and the Monroe Electronics R189 One-Net and R189SE products, apparently all shipped with publicly downloadable firmware that contains private root SSH keys, a recent alert by the US Cyber Emergency Response Team (CERT) warns.

“These DASDEC application servers are currently shipped with their root privileged SSH key as part of the firmware update package,” explained Mike Davis, principal research scientist for IOActive.

“This key allows an attacker to remotely log on in over the internet and can manipulate any system function. For example, they could disrupt a station’s ability to transmit and could disseminate false emergency information. For any of these issues to be resolved, we believe that re-engineering needs to be done on the digital alerting system side and firmware updates to be pushed to all appliances.”

The EAS is designed to enable to the President of the United States to speak to US citizens within 10 minutes of a major disaster occurring. In the past these alerts were passed from station to station using the Associate Press (AP) or United Press International (UPI) “wire services” which connected to television and radio stations around the US. Whenever the station received an authenticated Emergency Action Notification (EAN), the station would disrupt its current broadcast to deliver the message to the public.

More recently the system has been switched to a more automated and decentralised system. Once a station receives and authenticates the message, the DASDEC hardware interrupts transmission and overlays the message onto the broadcast with the alert tone containing information about the disaster. The DASDEC application server receives and authenticates EAS messages so security shortcomings with the technology are a serious concern.

IOActive has also issued its own IOActive Labs advisory [PDF] outlining the apparently affected products, the impact and how to mitigate the problem. According to the US CERT, a fixed version of the firmware is available that allows users to change their login keys, and should be applied to critical devices. ®

Ensure Ease of Recovery with Asigra’s Agentless Software

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/09/us_emergency_alert_system_still_flawed/

Snowden’s Australian ‘revelations’ are old news

Agentless Backup is Not a Myth

Edward Snowden’s leaks have alerted the world to a serious issue: the extent of government spying in societies that supposed themselves to be free. That does not, however, mean that every word he says to Glenn Greenwald is news.

Behind the star-struck reposting of whatever passes from Snowden to Greenwald is a lot of stuff that was already either on the record, or at least strongly suspected.


For example, there’s this story in the Sydney Morning Herald, “Snowden reveals Australia’s links to US spy web”.

A replay of an article in O Globo, the SMH piece tells us that Snowden has revealed that Pine Gap – more properly called the Joint Defence Facility Pine Gap – Darwin’s Shoal Bay Receiving Station, the Defence Satellite Communications Facility at Geraldton, and Canberra’s HMAS Harman communications facility.

“The US Australian Joint Defence Facility at Pine Gap near Alice Springs and three Australian Signals Directorate facilities: the Shoal Bay Receiving Station near Darwin, the Australian Defence Satellite Communications Facility at Geraldton and the naval communications station HMAS Harman outside Canberra are among contributors to the NSA’s collection program”, the newspaper states.

The problem Vulture South has with this wide-eyedness is simple: in three out of four of the above cases, the co-operation between Australia and the USA was well-known, and the facilities were already named as having an association with the National Security Agency.

Those three facilities are:

  • Pine Gap (discussed in detail by ex-NSA spook David Rosenberg in his 2011 book Inside Pine Gap: the spy who came in from the desert;
  • Shoal Bay and Geraldton, among a group of facilities associated by then DSD director Martin Brady in 1999 as sources of cooperative collection with the NSA in this article reposted from The Age.

Only HMAS Harman wasn’t already named in the press as an NSA source facility – and given its nature, it hardly rates as news. As for Pine Gap, the facility’s association with signals intelligence has been accepted for decades, not least thanks to the Midnight Oil 1982 song “The Power and the Passion‘s lyric “Flat chat, Pine Gap, in every home a Big Mac.”

Vulture South has followed Snowden’s story with interest, but also with growing irritation at what seems to be a stage-managed process: the leaker adds another “revelation”, Glenn Greenwald publishes it without checking whether it represents new information, and a thousand outlets churn the story without troubling Google. ®

Ensure Ease of Recovery with Asigra’s Agentless Software

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/09/pine_gap_is_an_nsa_station_write_the_book/

Android sig vuln exploit SEEN IN THE WILD

Agentless Backup is Not a Myth

A github user has demonstrated that the Android APK vulnerability isn’t a trivial matter, posting “quick and dirty” proof-of-concept exploit code on github.

The demo, here, occupies just 32 lines of shell script – it doesn’t actually plant malware into the target code, it merely allows an app to masquerade under another app’s identity.


As noted in The Register on July 4, the vulnerability allows an app’s APK code to be modified without breaking its cryptographic signature. At the time, Bluebox, which discovered the vulnerability (thus creating the credible business card any security startup needs), explained that firmware updates will be needed to fix the issue.

Github user “Poliva” – Pau Oliva Fora, whose LinkedIn profile identifies him as an engineer at viaForensics in Spain – created the script apparently without access to the promised extra information that Bluebox plans to present at Black Hat USA in August.

Although Google has been pushing patches to its OEMs since March, its availability depends on whether the OEM has shipped the new code through carriers to end users. In the meantime, Google maintains its advice that users should stay away from third-party Android app markets. ®

Ensure Ease of Recovery with Asigra’s Agentless Software

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/09/android_sig_vuln_exploit_seen_in_the_wild/

India’s centralised snooping system facing big delays

What you need to know about cloud backup

After recent revelations about governments snooping on their own citizens, it’s nice to know that not every such effort is going smoothly, as India’s much criticised NSA-style Centralised Monitoring System (CMS) is facing big delays after it emerged that the project is still missing the vital software which will allow analysts to search comms data.

The nation’s Department of Telecommunications has now told the Center for Development of Telematics (C-DoT), which is installing the system, to speed things up, according to official documents seen by the Wall Street Journal.


The Rs.4 billion (£47.8m) CMS was originally conceived as a way of allowing the authorities to lawfully intercept voice calls and texts, emails, social media and the geographical location of individuals.

However, the Intelligence Bureau, which will be manning the system, has delayed its introduction for several reasons.

Firstly, mobile operators in only seven of the sub-continent’s 22 service areas have been connected to the CMS, leaving holes in its reach.

There’s also a major issue in that the system currently lacks the search algorithms needed to identify specific documents, meaning that as it stands operatives would have to search every email in the CMS to find the one they’re looking for.

The datacentre where intercepted data is to be stored is also apparently not yet ready, while the country’s Central Bureau of Investigation has yet to be given access to the system, causing further delays.

At a time when mass government monitoring of communications networks is a hot topic around the world thanks to Edward Snowden’s NSA revelations, rights groups have roundly slammed India’s CMS plans.

Human Rights Watch branded the scheme “chilling” in a strongly worded response, while India’s Centre for Internet and Society warned that the country currently doesn’t have privacy laws which could protect individuals from potential abuse of the system.

A Stop ICMS campaign has also been launched online in an attempt to mobilise opposition to the plans. ®

Agentless Backup is Not a Myth

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/09/india_cms_hit_by_delays/

Hack biz rivals or hire cyber-warriors and we’ll shut you down, warns EU

Magic Quadrant for Enterprise Backup/Recovery

Businesses could be wound up if they engage in cyber attacks or fail to prevent staff from engaging in computer hacking or other cyber crimes under new draft laws backed by the European Parliament.

MEPs last week voted to support a new EU Directive on attacks against information systems. The new framework would require member states to “take the necessary measures” to ensure businesses can be held liable for offences such as the illegal accessing of information systems, illegal system or data interference or illegal interception.


Under the Directive, member states would be able to levy a number of sanctions on companies engaged in such cyber attacks.

Member states would also be able to serve punishments on companies where failings in their “supervision or control” has allowed “a person under its authority” to commit any of the listed offences.

Sanctions could include “exclusion from entitlement to public benefits or aid; temporary or permanent disqualification from the practice of commercial activities; placing under judicial supervision; judicial winding-up; temporary or permanent closure of establishments which have been used for committing the offence”, according to the Directive.

Sanctions imposed would have to be “effective, proportionate and dissuasive” in order to be justified.

The European Commission said that the new laws, which would update an existing framework in place since 2005, have been particularly designed to combat cyber crime such as “the illegal entering of or tampering with information systems” and “the massive spread of malicious software creating ‘botnets’ – networks of infected computers that can be remotely controlled to stage large-scale, coordinated attacks”.

Individual perpetrators of the crimes could face at least five years in prison in some cases where the crime they have committed “cause serious damage” or “are committed against a critical infrastructure information system”.

EU member states will have two years from the date that the new Directive is published in the Official Journal of the EU to implement the new laws.

“This is an important step to boost Europe’s defences against cyber-attacks,” the EU’s Commissioner for Home Affairs, Cecilia Malmström, said in a statement.

“Attacks against information systems pose a growing challenge to businesses, governments and citizens alike. Such attacks can cause serious damage and undermine users’ confidence in the safety and reliability of the Internet.”

“The perpetrators of increasingly sophisticated attacks and the producers of related and malicious software can now be prosecuted, and will face heavier criminal sanctions.

“Member States will also have to quickly respond to urgent requests for help in the case of cyber-attacks, hence improving European justice and police cooperation,” she said.

On Friday the UK’s Ministry of Defence announced that it had formed a new Defence Cyber Protection Partnership (DCPP) with a range of security industry organisations.

“By sharing experience of operating under the constant threat of sophisticated cyber attack, the DCPP will identify and implement actions that have a real impact on the cyber defences of its members and the UK defence sector as a whole,” a MoD statement said.

“In particular they will highlight the need for protective measures which should increase the security of the wider defence supply chain and define an approach to implementing cyber security standards across its members and its supply chain partners.”

The MoD, intelligence agency GCHQ and the Centre for the Protection of National Infrastructure will work with BAE Systems, BT, Cassidian, CGI, Hewlett Packard, Lockheed Martin, Rolls-Royce, Selex ES and Thales UK under the new partnership.

Copyright © 2013, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

SaaS data loss: The problem you didn’t know you had

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/09/winding_up_penalty_could_be_levied_on_businesses_engaged_in_cyber_attacks/