STE WILLIAMS

Customer Success Testimonial: Recovery is Everything

Soi-disant patriot hacker “The Jester” is taking aim at nations seen as offering aid and comfort to NSA sysadmin turned whistleblower Edward Snowden.

The Jester claimed responsibility for taking down a government-run Ecuadorian tourism site and the email server of the Ecuadorian stock exchange on Monday, before turning his attention to other potential targets.

“‪en.ecuador.travel ‬ – TANGO DOWN – Because fuck you Equador – Harboring Assange and hoping to give asylum to ‪#snowden‬,” the contra-hacktivist said in a Twitter update.

Snowden applied for asylum to 20 countries in Latin America, Asia and Europe earlier this week. An additional request to apply for asylum in Russia was withdrawn after President Putin said he should stop “harming our American partners” as a pre-condition for a possible asylum request in Russia. Ecuador granted Snowden temporary travel documents that allowed him to travel between Hong Kong and Moscow two weeks ago but has since cooled on the possibility of offering asylum.

Several other countries rejected the possibility of granting Snowden asylum outright, while European nations mostly said that asylum requests can only be made by people physically in their territories, so further narrowing Snowden’s options.

After Venezuela emerged as a likely candidate for refuge for Snowden, The Jester turned his attention towards the south American country.

“There’s 52 VENEZUELEN Government servers visible to the internet, including 27 email servers. Who knew? ‪http://goo.gl/5kh2i‬,” he tweeted.

The Jester is known for denial of service attacks against Jihadist recruitment websites as well as his antipathy towards Wikileaks in general, and founder Julian Assange (still lurking in Ecuador’s London embassy) in particular. The Jester claimed responsibility for knocking Wikileaks servers offline back in late 2010, shortly after it began the controversial release of US State Department cables.

“As jihadis groom Muslims online to commit acts against us, so [Julian Assange] grooms government personnel like [Army private and accused leaker Bradley] Manning and Snowden to do his dirty work,” the Jester told FoxNews.com. ®

Steps to Take Before Choosing a Business Continuity Partner

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/04/patriot_hacker_takes_aim_snowden_asylum_candidates/

Customer Success Testimonial: Recovery is Everything

Soi-disant patriot hacker “The Jester” is taking aim at nations seen as offering aid and comfort to NSA sysadmin turned whistleblower Edward Snowden.

The Jester claimed responsibility for taking down a government-run Ecuadorian tourism site and the email server of the Ecuadorian stock exchange on Monday, before turning his attention to other potential targets.

“‪en.ecuador.travel ‬ – TANGO DOWN – Because fuck you Equador – Harboring Assange and hoping to give asylum to ‪#snowden‬,” the contra-hacktivist said in a Twitter update.

Snowden applied for asylum to 20 countries in Latin America, Asia and Europe earlier this week. An additional request to apply for asylum in Russia was withdrawn after President Putin said he should stop “harming our American partners” as a pre-condition for a possible asylum request in Russia. Ecuador granted Snowden temporary travel documents that allowed him to travel between Hong Kong and Moscow two weeks ago but has since cooled on the possibility of offering asylum.

Several other countries rejected the possibility of granting Snowden asylum outright, while European nations mostly said that asylum requests can only be made by people physically in their territories, so further narrowing Snowden’s options.

After Venezuela emerged as a likely candidate for refuge for Snowden, The Jester turned his attention towards the south American country.

“There’s 52 VENEZUELEN Government servers visible to the internet, including 27 email servers. Who knew? ‪http://goo.gl/5kh2i‬,” he tweeted.

The Jester is known for denial of service attacks against Jihadist recruitment websites as well as his antipathy towards Wikileaks in general, and founder Julian Assange (still lurking in Ecuador’s London embassy) in particular. The Jester claimed responsibility for knocking Wikileaks servers offline back in late 2010, shortly after it began the controversial release of US State Department cables.

“As jihadis groom Muslims online to commit acts against us, so [Julian Assange] grooms government personnel like [Army private and accused leaker Bradley] Manning and Snowden to do his dirty work,” the Jester told FoxNews.com. ®

Steps to Take Before Choosing a Business Continuity Partner

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/04/patriot_hacker_takes_aim_snowden_asylum_candidates/

Customer Success Testimonial: Recovery is Everything

Privacy-conscious US citizens looking to go retro in the wake of the ongoing controversy about PRISM-related snooping and the NSA harvesting metadata on an industrial scale will find little refuge in snail mail.

The New York Times reports that the United States Postal Service photographs the exterior of every piece of mail going through the system as part of the Mail Isolation Control and Tracking programme. The data is retained for use by law enforcement as part of a scheme set up in the wake of anthrax attacks in late 2001 that killed five people, including two postal workers.

The dataset creates a means to go back in time and trace mail correspondence and was used by the FBI in a case involving the transmission of ricin-laced letters to President Obama and New York Mayor Michael R Bloomberg, says the paper.

Contents of letters are not recorded as part of the Mail Isolation Control and Tracking programme, which operates in conjunction with a decades-old “mail covers” scheme, which involves physically keeping tabs on mail sent to individuals either suspected of criminal or subversive activity.

Leslie Pickering, the owner of a bookshop in Buffalo, and a former spokesman for the Earth Liberation Front, a radical environmentalist group, claims he was among those targeted as part of the mail-covers scheme. He says he learned he was under watch after a handwritten card instructing postal workers to pay special attention to the letters and packages sent to his home arrived in his letter box after apparently being delivered by mistake, according to the NY Times.

Pickering claimed postal officials subsequently admitted they were tracking his mail without explaining why, or for how long, he and his family might have been monitored. NYT said postal officials had declined to comment on his claims.

Law enforcement agencies submit a request for a mail cover direct to the Postal Service, which is able to grant or deny a request without judicial review. By contrast, judges need to sign off wiretap requests. Mail cover requests (granted for 30 days, with possible extensions up to 120 days) are rarely refused, law enforcement officials told the NYT. Requests may relate to either criminal investigation or national security matters.

Criminal activity requests average 15,000 to 20,000 per year, according to unnamed law enforcement officials who spoke to the NYT on the condition of anonymity. The volume of anti-terrorism mail cover requests is unknown.

Law enforcement officials need warrants to actually open mail, but a surprising amount of information can be gleaned from the metadata on the outside of a letter or parcel.

“Court challenges to mail covers have generally failed because judges have ruled that there is no reasonable expectation of privacy for information contained on the outside of a letter,” the NYT reports.

“Officials in both the Bush and Obama administrations, in fact, have used the mail-cover court rulings to justify the NSA’s surveillance programs, saying the electronic monitoring amounts to the same thing as a mail cover. Congress briefly conducted hearings on mail cover programs in 1976, but has not revisited the issue.”

Postal mail volumes are dropping but there were still more than 160 billion pieces of mail sent in the US last year. ®

Steps to Take Before Choosing a Business Continuity Partner

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/04/usps_scanning_mail_metadata/

Customer Success Testimonial: Recovery is Everything

Mastercard and Visa have reportedly put a block on payment processing services for some anonymisation and virtual private network (VPN) services.

However, the move appears to be restricted to payments made to five consumer-focused VPN and anonymisation services though a single payment processor in Sweden, rather than a more wide-ranging crackdown against the widely used technology. The Pirate Bay’s Peter Sunde’s iPredator is among the VPN providers who say they’ve been informed they can’t be paid by Visa-toting users.

VPN firms who take their fees using the popular Swedish online payment services provider Payson have reported receiving an email stating that anonymisation services can no longer be funded using either Mastercard or Visa card payments.

“Payson has restrictions against anonymization (including VPN services). As a result Payson can unfortunately no longer give your customers the option to finance payments via their cards (VISA or MasterCard),” the email reportedly stated, adding that direct bank transfers might still be used to place deposits in accounts.

Among the affected services is iPredator VPN, launched by Pirate Bay co-founder Peter Sunde. iPredator criticised the move but said it was still able to accept payments via either BitCoins or PaysafeCards.

“We are sorry to inform you that PaySon is not able to process any credit cards anymore from you,” iPredator said in a blog post on Wednesday.

“They changed their policies after being bullied by Visa and Mastercard to exclude VPN services. We did not really receive a heads-up to that change so you have to go for a wallet provider at the moment while we are looking into alternatives.”

Sunde compared the payment-processing block to Mastercard and Visa’s decision not to process payments made to WikiLeaks back in 2010, in the wake of the controversial release of US diplomatic cables by the whistle-blowing site.

“Just talked to Payson who told me that the reason to close down payments for VPNs was an urgent requirement from Visa MasterCard,” said Sunde in a Twitter update before adding: “The credit card companies are obviously in a cartel. Both Visa MC demanding the same thing the same day. Same happened with ‪@wikileaks‬.”

VPN providers Anonine, Mullvad, VPNTunnel and Privatvpn rely on Payson’s services, Torrentfreak reports. All four of these services, as well as iPredator, are consumer-focused and based in Sweden.

VPN services establish secure tunnels to access content or services across the internet. As well as providing privacy in insecure locations, such as Wi-Fi hotspots, the technology can also be used to access otherwise blocked or location-restricted websites. Access is encrypted so the technology provides protection against snooping and credential snaffling.

Virtual private networks have been a mainstream security technology for years and are commonly used in business to access intranet resources or corporate emails. In enterprises, access can be delivered through SSL VPN appliances or through software clients loaded onto desktops or smartphones. All this is quite fiddly for mainstream consumers, hence the growth in VPN services aimed at consumers, some of which also offer anonymity.

Payson’s TsCs say it does permit payments to anonymisation services and VPNs – with restrictions depending on “current regulatory requirements”. ®

Steps to Take Before Choosing a Business Continuity Partner

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/04/payment_block_swedish_vpns/

Customer Success Testimonial: Recovery is Everything

Security holes in server management technology create hacking opportunities almost on par with direct physical access, claims Metasploit creator HD Moore.

The issue arises from security shortcomings involving baseboard management controllers (a type of embedded computer used to provide out-of-band monitoring for desktops and servers, technology installed on nearly all servers) and the Intelligent Platform Management Interface (IPMI) protocol.

An attacker able to compromise a baseboard management controller (BMC) should be able to compromise its parent server. Compromising a server would allow miscreants to copy data from any attached storage, make changes to the operating system, install a backdoor, capture credentials passing through the server, launch denial of service attacks, or simply wipe the hard drives, among many other things.

Attacks like this are easily possible according to Moore, Rapid7’s chief research officer and creator of penetrating testing software Metasploit, because vulnerable services are accessible across the net. Research by Moore found that around 308,000 IPMI-enabled BMCs were exposed on the net.

Approximately 195,000 of these devices only support IPMI 1.5, which does not provide any form of encryption. Another 113,000 of these devices support IPMI v2.0, which suffers from serious design flaws.

For example, 53,000 IPMI 2.0 systems are vulnerable to password bypass attacks because they rely upon a weak cipher suite. Passive scans by Moore separately discovered that 35,000 Supermicro BMCs expose an exploitable Universal Plug and Play (UPnP) service.

The security shortcomings under discussion are well beyond the capability of script-kiddies and could only be abused by a skilled and experienced hacker. Even so, it would be wise for sysadmins to listen to the warning implicit in Moore’s research.

A blog post by Moore provides recommendations on how enterprises and hosting providers can mitigate the security risk of having their servers pwned. A lot of this comes down to fairly basic stuff: firewalling vulnerable services, disabling the vulnerable Cipher 0 cryptosuite and using complex passwords. Supermicro system users should apply an updated firmware image.

Previous research by Moore earlier this year revealed that everything from medical systems to traffic light boxes is wide open to hackers thanks to a lack of authentication checks. Flawed use of the Universal Plug and Play (UPnP) protocol meant that anything up to 50 million of devices are insecure, Rapid 7 warned in January. ®

Steps to Take Before Choosing a Business Continuity Partner

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/04/server_management_security_holes/

Cloud based data management

A Seattle-based security engineer has made the remarkable and disturbing claim that Motorola’s Droid X2 using ActiveSync sends sensitive user data back to the company at pretty much every opportunity.

Ben Lincoln writes here that he discovered the data after routing his phone’s data through a proxy to test Microsoft Exchange ActiveSync, and discovering a Motorola-owned domain, svcmot.com, in the proxy logs.

Lincoln writes that “connections to Motorola were triggered every time I updated the ActiveSync configuration on my phone, and that the unencrypted HTTP traffic contained the following data:

• The DNS name of the ActiveSync server (only sent when the configuration is first created).
• The domain name and user ID I specified for authentication.
• The full email address of the account.
• The name of the connection.

“As I looked through more of the proxy history, I could see less-frequent connections in which larger chunks of data were sent – for example, a list of all the application shortcuts and widgets on my phone’s home screen(s).”

He goes on to detail a host of data captures associated with Facebook, Twitter, Picasa, Photobucket, YouTube, IMAP and POP3 e-mail accounts, Yahoo! Mail accounts, Flickr, and RSS feeds. For many account types, Lincoln notes, passwords are included in the data sent to Motorola.

Device IMEI and IMSI, phone number, carrier, and a host of other device-specific details are also captured. Lincoln also provides detailed instructions for others to try to reproduce what he’s observed.

The Register has requested comment from Motorola, and will update readers if a response is received. ®

Magic Quadrant for Enterprise Backup/Recovery

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/02/droid_x2_plus_activesync_equals_data_slurp/

Ensure Ease of Recovery with Asigra’s Agentless Software

French games publisher Ubisoft has confirmed a major breach of its Uplay servers and the theft of user names, email addresses, and encrypted passwords – although it claims financial data is in a separate silo and looks safe so far.

“We are recommending you to change your password,” the company said in a statement. “Out of an abundance of caution, we also recommend that you change your password on any other Web site or service where you use the same or a similar password.”

The hacking of the Uplay online gaming database will only increase fears about the system’s security. There were persistent reports of users getting their accounts hijacked earlier this year, and Ubisoft users are particularly at risk as many of its most popular games now require an online account and a nearly always-on internet connection.

The company has been one of the prime movers in getting such internet-reliant DRM systems into place – hardly surprising, since Ubisoft’s CEO thinks nine out of ten gamers are pirates. The company first trialed an always-on requirement back in 2011, but backed down over user outrage before gradually easing the DRM system back in.

To say users were less than thrilled about the company’s fondness for DRM is something of an understatement, particularly after an alert from Google security researcher Travis Ormandy, who revealed that the Uplay system had a suspected rootkit attached. Ubisoft said that in fact this was a coding error and it had a patch out the same day.

To help with this latest security breach, Ubisoft has set up a page to allow for a quick password reset for the Uplay accounts, although some members on its forums report it’s crashing under the strain of use. Others are somewhat verbose in expressing their annoyance with the current situation.

“I’m sick of incompetent people holding onto any amount of my data,” said one irate user. “I’m sick of them not being held accountable for their incompetence. I’m sick of them passing the buck onto other parties when securing these sorts of things should be routine to anyone responsible for a system like this. Especially at an organization as large as Ubisoft.”

All this furor over DRM and security hasn’t hurt the game company’s bottom line too much – profits were up 73 per cent last year – but gamers are showing an increasing antipathy to games that require an internet connection to function.

The disastrous launch of SimCity online, and the decidedly cool reception of Microsoft’s Xbox One’s DRM and internet requirements, have focused attention on the issue. As Sony has shown, there’s a lot of market share to be gained by not assuming your users are pirates, and if Ubisoft can’t protect its servers, it might at least make them optional rather than compulsory. ®

Cloud based data management

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/02/ubisoft_data_breach/

Ensure Ease of Recovery with Asigra’s Agentless Software

Tech Panel The debates about whether Macs are actually more secure than PCs, and whether Linux really is the daddy when it comes to bullet-proof desktop computing, have played out in articles and comments right here on this site on many occasions.

But is inherent security a meaningful concept? Perhaps a better question is how easily “securable” are the various desktop operating systems – and mobile OSes for that matter. Perhaps you think that focusing on defences at the user device level is largely a red herring in today’s world of borderless networks, mobile access and BYOD.

Considering this and the way in which external threats are developing, some are arguing that security efforts should predominantly target the network. If you have an opinion on one or more of the above issues, or any other aspect of security – including how users can be helped to protect themselves and company data from their own ignorance, thoughtlessness or neglect – then our latest reader survey is for you.

You don’t have be a security specialist to complete it – the questions should be meaningful to gurus and others alike – and you’d be doing us at the Reg a big favour by clicking here and getting stuck in. ®

Cloud based data management

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/02/secure_os/

Ensure Ease of Recovery with Asigra’s Agentless Software

US cybercrime lawyers have filed an appeal against the conviction and lengthy sentence imposed upon Andrew “Weev” Auernheimer in a high-profile iPad data leak case.

Auernheimer, a member of the grey-hat hacking collective Goatse Security, was jailed for three years and five months back in March after he was found guilty of leaking punters’ private email addresses. The data was exposed thanks to the insecure set-up of ATT’s servers.

The Electronic Frontier Foundation (EFF) has teamed up with law professor Orin Kerr, internet attorney and EFF fellow Marcia Hofmann, and Weev’s trial lawyers Tor Ekeland and Mark Jaffe in filing an appeal with the 3rd US Circuit Court of Appeals. The appeal argues the government’s prosecution was flawed in law because it relied on an improper application of the US Computer Fraud Abuse Act (CFAA).

Auernheimer’s co-defendant Daniel Spitler discovered in 2010 that ATT had configured its servers so that email addresses of early adopter iPad owners were publicly available on the net. Spitler wrote a script that collected roughly 114,000 email addresses as a result of the security snafu. Auernheimer then distributed the list of email addresses to media organisations as proof of the vulnerability, forcing ATT to acknowledge and fix the security problem.

Auernheimer and Spitler were both charged with identity theft and conspiracy to violate the CFAA — the same law used against internet activist Aaron Swartz, who committed suicide earlier this year while living under the shadow of a looming prosecution. Spitler pleaded guilty in June 2011, while Auernheimer (a self-described internet troll) unsuccessfully fought the charges.

“Auernheimer was aggressively prosecuted for an act that caused little harm and was intended to be — and ultimately was — in the public interest,” the EFF’s Hofmann said in a statement on the appeal. “The CFAA’s vague language gives prosecutors great latitude to abuse their discretion and throw the book at people they simply don’t like. That’s as evident here as it was in the prosecution of Aaron Swartz.”

EFF staff attorney Hanni Fakhoury added: “The government set out to make an example of Auernheimer. But the only message this sends to the security research community is that if you discover a vulnerability, you could go to jail for sounding the alarm.”

Weev’s conviction under the Computer Fraud Abuse Act (CFAA) was heavily criticised in the security community because the leaked data was harvested from an insecure server. Security researchers are invited to file testimony in an amicus brief in support of Auernheimer’s appeal.

Auernheimer is currently resident at the Allenwood Federal Correctional Complex, White Deer, Pennsylvania.

Last month representatives Zoe Lofgren (D) and Jim Sensenbrenner (R), and Senator Ron Wyden (D, Oregon) introduced “Aaron’s Law” in Congress, a bill that would reform the CFAA. Documents related to the appeal and further background on Auernheimer’s conviction can be found on the EFF’s website. ®

Cloud based data management

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/02/auernheimer_ipad_hack_appeal/

Ensure Ease of Recovery with Asigra’s Agentless Software

Video Well, that didn’t take long: a group of amateur film-makers in Hong Kong have already managed to release an Edward Snowden movie.

The five minute mini-epic charts the early part of the PRISM whistle-blowers’ story, in other words the bit set in Hong Kong:

Watch Video

Although it’s more of a dramatisation of events than a “movie” as such – not unlike something you might see on the Discovery Channel in the early hours of the morning – it’s nonetheless a decent effort and has made it to YouTube less than a month after Snowden first broke cover.

There are a few nice touches including time-lapse photography footage of Hong Kong, while the 24-style shaky cam technique manages to hide pretty well the measly HK$4,000 (£330) budget.

Rather surprisingly the PRISM snitch doesn’t actually speak in the film, despite the actor in question looking not unlike the man himself, although there is a brief clip of real Snowden footage towards the very end.

Freelance video producer Edwin Lee, who kick-started the four day shoot, told CNN most of the script was written the day before filming, with no time for actors to rehearse.

“Yes the film was about Snowden, but he wasn’t featured the most prominently,” he added. “He’s mostly the catalyst [of events] affecting all these different people around him; it’s more about the vignettes.”

These vignettes include scenes at the local police headquarters, a CIA “substation” and a local newspaper. ®

Cloud based data management

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/02/hong_kong_movie_snowden/