STE WILLIAMS

Exclusive Britain’s privacy watchdog will investigate a major car-parking contractor after its website allegedly leaked drivers’ personal information.

Readers will be relieved to know, however, that representatives of chesty TV princess Katie Price say she has avoided having any sensitive private information revealed during the affair.

UK Parking Control (UKPC) is accused of revealing photographs of Brits’ cars parked with number plates clearly to be read and in some cases the location revealed. In some images it’s alleged that other details such as identification cards, shopping or belongings are clearly visible. Campaigners against private parking firms believe these images – allegedly made easily accessible to anyone on the UKPC website – exposed drivers’ personal information.

Each ticket dished out by UKPC, which monitors 1,200 car parking locations nationwide, includes a unique link to the company’s website: the printed URL pulls up a page with pictures of the vehicle taken by one of the company’s ticketing operatives to illustrate why that particular penalty was issued.

But one ticket recipient claimed to have found that by tweaking values in this web address, he could access thousands of other digital photographs of other people’s vehicles. Sample pictures seen by The Register appeared to support the allegations. Some shots show personal items on view inside the vehicles, such as an ID card placed next to a disabled-driver badge.

Photos of parked cars with number plates visible can in themselves cause privacy problems, as they can show where a driver has been. This is why numberplates are blurred out on Google Street View, for instance, and why only police and other authorised users are allowed access to number plate records generated by such systems as speed cameras.

Numberplates linked to names and potentially to precise locations and times would offer still more scope for embarrassment, so it’s clear that UKPC’s database contains significant private information subject to the Data Protection Act.

After being alerted by The Register and our sources, the UK Information Commissioner’s Office confirmed it will begin an investigation into the alleged leak.

An ICO spokesperson said:

We have recently been made aware of a possible data breach involving UKPC, and are now making enquiries into the circumstances of the alleged breach before deciding what action, if any, needs to be taken.

Word of the alleged security bug in the website of UKPC – which monitors car parks for Tesco, BQ and other big names – has spread on the Money Saving Expert discussion forums and motoring discussion board Pepipoo. Some images, said to be taken from the UKPC website, were reproduced on the Nutsville blog, which campaigns against the private parking enforcement industry in the UK.

And it was claimed a snap of a gleaming white Range Rover belonging to pneumatic pinup Katie Price – aka the model Jordan – was among the unearthed images. Some reports have it that Ms Price does have such a vehicle among her fleet – and the personalised number reported on the vehicle was highly suggestive. However a spokeswoman for the upon-a-time-model told the Reg that Ms Price’s only Rover 4×4 is pink, has a different number, and that anyway she’s trying to sell it.

Despite strongly worded legal threats from UKPC’s solicitors, the Nutsville bloggers have refused to take the pictures down.

An anonymous source linked to the site, which uses overseas servers and other measures to mask its owners’ identities, told the Reg:

“If UKPC keeps on threatening us, we will just put up more posts. They have been subjected to civil public justice. They should take the punishment and learn a lesson.”

The source claimed it was “irresponsible” of UKPC to expose its cache of photographs online in such an insecure manner.

“UKPC say we have broken the law, but we didn’t even need a password to see these photographs,” our contact added.

We’re told the photographs date back to 2009. Allegedly, some are a telling insight into the lives of UKPC parking personnel: some photographs, it’s claimed, were taken inside the homes of the company’s workers, from snaps of someone lying in bed to a scene of a pig relaxing in a dog basket in front of a massive widescreen telly.

UKPC has been repeatedly contacted for comment by The Register over recent days, but no one at the company has been available to comment on the allegations. We should note that it is not against the law to film or photograph in a public place where there is no reasonable expectation of privacy. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/08/ukpc_pictures_leaked/

Anonymous claims to have disrupted more than 100,000 Israeli web sites and caused over $US3bn in damages with a new campaign, called OpIsrael, launched over the weekend. Israeli officials say the effort was largely unsuccessful in breaching the nation’s online defences.

In a typically understated piece of pre-op PR last Thursday, an Anonymous press release revealed the attack would take place on Sunday – which happens to be Holocaust Remembrance Day – in retaliation for recent Israeli air strikes in Gaza and treatment of Palestinians in the region.

Anonymous’ release added the following:

To the government of Israel: You have NOT stopped your endless human right violations. You have NOT stopped illegal settlements. You have NOT respected the ceasefire. You have shown that you do NOT respect international law. This is why that on April 7, elite cyber-squadrons from around the world have decided to unite in solidarity with the Palestinian people against Israel as one entity to disrupt and erase Israel from cyberspace.

A tweet from the OpIsrael account on Sunday claimed that 100,000 web sites, 40,000 Facebook pages, 5,000 Twitter accounts and 30,000 Israeli bank accounts were hacked, causing $3bn worth of damages.

At the time of writing, the web sites of the Prime Minister’s Office, the Central Bureau of Statistics, Mossad and the President of Israel, among others, were unavailable.

The Hacker News has a list of pastebin pages revealing all the sites apparently targeted. Some were defaced with anti-Israel slogans while hundreds of others suffered sustained DDoS attack, it claimed.

Private firms were also affected, with the Twitter account of AVG_Israel compromised by attackers in an embarrassing turn of events for the security vendor.

In response, Israeli officials have been typically defiant, playing down the extent and damage caused by the attacks.

Yitzhak Ben Yisrael, of the National Cyber Bureau, told The Indy that there is “hardly any real damage”, claiming that “Anonymous doesn’t have the skills to damage the country’s vital infrastructure”.

In addition, a Finance Ministry statement sent to New York Times claimed that although government sites were under DDoS attack they haven’t been greatly affected.

However, website for Israel’s Finance Ministry and Foreign Affairs Ministry sites remain down at the time of writing.

As such, the current OpIsrael blitz seems to be more successful than the last time Anonymous tried something like this, back in November 2012.

Things haven’t been going all the way of Anonymous, though, with reports emerging that Jordanian security forces have arrested some of the suspected hackers.

The opisrael.com site also appears to have been hacked and defaced by pro-Israel hacktivist EhIsR. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/08/opisrael_hackers_blitz_sites/

It’s been 22 years since Phil Zimmerman, Jon Callas and the rest of the PGP crew brought encryption to the masses for free, and now the same team – augmented by backing from a couple of former Navy SEALs – has expanded into a new privacy concern that will launch an email service in a couple of weeks.

Silent Circle came out of stealth mode last June with a $20 (£13) per month package for voice, text, and video services that are encrypted by an application on a user’s smartphone, tablet or computer. Users download the software and all traffic is handled by the company’s own servers.

Encryption keys are set up on each device using the application and are then discarded once the message has been completed, so that they cannot be slurped. To further protect against wiretapping, the firm’s servers that handle traffic are located in Canada and Switzerland, with an Asian location to be decided.

Now the company is moving into email, with an encryption system based on decades of encryption experience and the desire for private communications. Based on the team’s background, there’s good reason to believe it will be successful.

Disruptive tech

Younger readers won’t remember the huge kerfuffle caused when Zimmerman put Pretty Good Privacy out there, over 20 years ago. The system was investigated by the US government for “munitions export without a license” after use of the code spread, although no charges were brought.

Security was barely an issue when email was designed, and PGP addressed a key need for internet users. Thankfully, governments around the world recognized that the benefits of encryption have far outweighed the threat, and now similar systems are built into almost every online transaction – but it’s still not enough.

“Email is fundamentally broken,” Jon Callas, Silent Circle’s CTO, tells The Register, pointing out that security was not a serious factor in the original protocols. Wrapping messages in the best possible encryption will give a measure of security, and the team have spent nearly two years honing their product.

“We believe we’ve got it as good as we can get it,” he said. “Nothing is perfect, and anything we find there’s a problem with, we’ll fix it.”

To further test the system’s mettle, Silent Circle has put its source code up on Github for analysis by the security community. So far, Callas said, three possible problems have been found. None of them were serious, and all have since been fixed or ameliorated.

The new email service will take the best of this encryption, plus some extra special sauce and tools from PGP, and aims to offer secure service to subscribers across the world.

Baghdad beginnings

It’s not just the PGP crew behind Silent Circle. Two of the key backers, including CEO Mike Janke, are former US Navy SEALs who saw a need for this kind of secure communication.

Janke was operating a security detail in Baghdad and became increasingly frustrated with the inability to run a simple, secure communications setup. It was a problem he’d seen around the world, where the presumption of monitoring by outsiders is the norm.

You might think a service like this would have the government worried, but according to Callas the response so far has been very positive. Since the launch, numerous government agencies have tried the service and there have been no moves to squash it on the legal front.

“We’ve checked with a bunch of people on it and talked to people inside the government. We hired on contract a private attorney who used to be terrorism prosecutor. She advises us and has been our envoy to Congress and other places. We know they need to hear about us first,” Callas said.

Such issues are much on the mind of legislators of late. Intelligence agencies are pushing for an extension of the Communications Assistance for Law Enforcement Act (CALEA) to require an automatic backdoor into communications software of this type. A legislative push in the area is expected later this year.

The market chooses

So far, Callas reports that subscription sales for the service have gone much better than he expected, and the company is bringing forward its plans to scale out with a bigger server footprint.

There’s been some interest in the service from the highest end of the market, with Nokia’s luxury phone outfit Vertu adding it in as an extra for the punter who has €7,900 to splash out on the fanciest of mobiles. But Callas said that for certain types of enterprise employees, the service is proving much more popular than first thought.

There’s increasing concern about doing business abroad, now that some states seem to have built industrial espionage into their economic policy. And while Silent Circle isn’t free like PGP, it’s not massively expensive either. It and similar products may soon become security best practices for enterprises overseas.

With the extension of its service to email, Silent Circle is moving into more popular waters, and it should pick up more customers, depending on how well it can integrate operations into its secure setup. Callas said the company is playing a long game; it’s not looking for lightning expansion or to sell out as soon as possible.

We’ll see if there’s a mass market for this kind of service, but El Reg suspects it could prove more popular than Silent Circle expects. These are paranoid times, and it pays to be as safe as possible. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/06/silent_circle_private_email_expansion/

Security technicians at Sophos are poring over a new piece of ransomware that uses images of purported child sexual abuse to extort money from internet users, a discovery that has prompted an alert from the Internet Watch Foundation (IWF).

The malware activates when a user is online, and opens a browser-locking screen that claims to be from the German Federal Criminal Police (Bundeskriminalamt) that displays images of claimed child pornography (along with the name, age, and location of the victim) that the page says has been viewed on that PC.

“Ransomware that uses pornography as a tool is nothing new,” Graham Cluley, senior technology consultant for the British security software vendor, told The Register. “This is the first time we’ve seen images shown – that’s very different. It’s going for shock value.”

The lock screen also shows the user’s IP address and internet service provider, as well as a live webcam view of the user if the hardware is available. The user is instructed to pay a fine to unlock their PC, and given an online account to put money into.

As ever with such attacks, actually paying the “fine” is the worst thing to do. Your PC will be marked down as having a valuable fool on the end of it, and further financial demands are sure to follow.

‘Pay up, pervert’ (source: Sophos; click to enlarge)

This malware also differs from most ransomware in that it doesn’t activate when the infected PC is booted up, but only after a user goes online for a while, Cluley explained. The code is still being tested and other nasty surprises may be lurking in the payload.

German internet users started reporting the issue on Friday, but it is considered enough of a threat for the IWF to put the word out to German internet users immediaitely. But the malware is unlikely to stay solely a Teutonic threat, since it has been localized for other countries as well, Cluley said.

Testing showed that when the ransomware was run from a British IP address, the purported police message was rebranded as coming from the Bundeskriminalamt to the London Metropolitan Police. Cluley said that it was reasonable to assume that other police force’s brands have been added, as is the case with other ransomware types.

Ransomware has been around for over 20 years, but there’s recently been a big upsurge in its use. Along with fake security software it’s one of the most directly lucrative ways of extorting money from internet users, and recent arrests have shown that it’s becoming very big business indeed.

The Reveton Trojan, spotted last April, used similar threats of illegal pornographic viewing (without images), and when Spanish police swooped and arrested 11 members of the gang behind it, they found the team had been raking in €1m a year. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/05/iwf_warning_smut_ransomware/

Scribd, which claims to be the world’s largest online library, has been hacked – exposing the email addresses, usernames and password hashes of 500,000 users.

The document-sharing website admitted the database raid may have leaked the details of one per cent of its 50-million-plus users.

Potentially affected users have been notified by email and advised to change their passwords, we’re told. The website’s operators added:

Earlier this week, Scribd’s Operations team discovered and blocked suspicious activity on Scribd’s network that appears to have been a deliberate attempt to access the email addresses and passwords of registered Scribd users.

Because of the way Scribd securely stores passwords, we believe that the passwords of less than 1% of our users were potentially compromised by this attack.

We have now emailed every user whose password was potentially compromised with details of the situation and instructions for resetting their password. Therefore, if you did not receive an email from us, you are most likely unaffected.

The suggestion that only one per cent of users have been affected “because of the way Scribd stores passwords” is a bit of a puzzler. El Reg reader David, whose password was reset in the wake of the breach, was left with several questions over the incident.

He said:

“What’s happened with the Scribd potential password leak? In particular what’s up with the 1 per cent? I don’t think it is the 1 per cent who used Scribd that day, week or month, because I don’t visit that often.”

Paul Ducklin, Sophos’s head of technology for Asia Pacific, said this sort of uncertainty was understandable.

“At first blush, I was inclined to interpret this to mean that 99 per cent of passwords were stored securely, presumably by salting and hashing, leaving only a small proportion open to the scrutiny of intruders,” he wrote.

“We’ve seen cases before where websites have upgraded their password handling systems to make them safer, but seem to have failed to migrate all users to the new system in a timely fashion, leaving some users in an insecure limbo,” Ducklin added.

However, Scribd clarified the situation by stating only “encrypted passwords”, and by that they mean salted and hashed, were exposed:

Our investigation indicates that no content, payment and sales-related data, or other information were accessed or compromised. We believe the information accessed was limited to general user information, which includes usernames, emails, and encrypted passwords.

Even though this information was accessed, the passwords stored by Scribd are encrypted (in technical terms, they are salted and hashed). Most of our users were therefore unaffected by this; however, our analysis shows that a small percentage may have had their passwords compromised. In an abundance of caution, we are therefore asking those affected users to reset their password and to change their password on any other services they might have used it on.

Scribd has promised a security review and the introduction of “numerous additional safeguards” in the wake of the security flap, for which it apologises. Unless it was using an outdated password hashing algorithm, it’s not easy to say how much more Scribd could do on the password security front.

The shortcomings that allowed hackers to get into its network are an obvious security concern, though.

The YouTube-for-writers website has set up a “breach checker” microsite which lets punters check email addresses against the list of possibly pwned accounts. This tool poses no great risk, but it could be implemented better, according to security experts.

“It would have been a nice touch if the company had used HTTPS for this particular page, rather than sending your email address, and the notification of whether it was on the at-risk list, via unencrypted HTTP,” Sophos’ Ducklin wrote.

“On the other hand, since anyone can check anyone’s email address anyway, and since you probably received an email advising you to change your password already if your account was potentially pwned, it probably doesn’t matter.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/05/scribd_security_snafu/

The soaring value of crypto-currency Bitcoin stuttered slightly last night – after a main exchange for the currency was flooded with network traffic and Bitcoin wallet site Instawallet was suspended.

Mt Gox, the most popular Bitcoin exchange, blamed an ongoing distributed denial-of-service (DDoS) attack for trading lags and other connectivity problems over recent days. It stated:

Mt.Gox has been suffering from its worst trading lag ever, 502 errors, and at one point some users were not able to log in their account. The culprit is a major DDoS attack against Mt.Gox. Since yesterday, we are continuing to experience a DDoS attack like we have never seen. While we are being protected by companies like Prolexic, the sheer volume of this DDoS left us scrambling to fine-tune the system every few hours to make sure that things don’t go beyond a few 502 error pages and trading lag.

The statement, issued on Thursday, goes on to speculate that the packet-flinging attacks by unknown parties may have been designed to destabilise the fledgling currency that relies on cryptography for transactions.

The attackers may have been attempting to trigger panic selling that they could then profit from by buying the currency at a low point timed to coincide with the temporary suspension of a series of attacks, it suggests.

Japan-based Mt Gox goes on to explain that it is facing an unprecedented increase in new accounts, 57,000 in March alone compared to around 100,000 in the whole of 2012, so that it is now handling 420,000 trades per month and $121m in monthly trade volume.

Bitcoin prices peaked at $147 per BTC early this week before falling back to below $120 per BTC around the time of the attacks. The exchange rate was around $134 per BTC on Thursday. Last year the value of a Bitcoin increased steadily from around $5 to reach about $13 at the start of this year. Since then – after just three months – the value has increased almost exponentially to reach the unprecedented height of $147 per BTC.

It hasn’t all been plain sailing. An arcane software problem last month resulted in the price of the digital currency falling 23 per cent to $37 before quickly regaining lost ground, as explained in some depth in a blog post by Paul Ducklin of Sophos here.

As previously reported, a good portion of the recent increase is likely due to the banking crisis in Cyprus. Interest rates are low across Europe, while exchange rates are volatile, factors that make gold, silver and (for the tech savvy) Bitcoins seem like a safe haven. The Dow Jones industrial average has recovered to pre-crash heights but the same can’t be said of stock markets in Europe.

The increased value of Bitcoins has made the currency an increasingly attractive target for cybercrooks, among other unwelcome problems, as well as more positive development such as plans to establish the first Bitcoin ATM in Cyprus.

After temporarily suspending its services this week following a security breach, Bitcoin wallet service Instawallet has announced an indefinite suspension of service while it develops a more secure architecture.

Our database was fraudulently accessed, due to the very nature of Instawallet it is impossible to reopen the service as-is.

In the next few days we are going to open the claim process for Instawallet balance holders to claim the funds they had stored before the service interruption.

Last week payments start-up Dwolla was also hit by a DDoS attack which also affected third-party developers. Dwolla accepts Bitcoins but it’s unclear whether or not the attack on the service is tied to the latter run of hacker attacks against Mt. Gox and Instawallet.

Individual Bitcoins exist as a digitally signed solution to a complex mathematical algorithm. New Bitcoins are “mined” by working out solutions to unsolved algorithms. There are an estimated 11 million Bitcoins in circulation, worth around $1.4bn at current prices, out of a total 21 million Bitcoins that can ever be created, according to limits hard-wired into the system (PDF).

Regulators are looking to apply money-laundering rules to virtual currencies such as Bitcoin but success on this front is far from assured and may be resisted by some, and not just by libertarians and cypherpunks who’ve found common cause in backing a digital currency outside the control of governments.

Bitcoins are increasingly going mainstream through development. Expense management firm Expensify, for example, has added Bitcoin as a reimbursement option.

Bitcoin is progressing to the point where the currency offers the cheapest means to carry out foreign currency exchange. However, the use of Bitcoins to anonymously pay for hard drugs and other illicit items on the Silk Road trading marketplace is something that will be undoubtedly used by politicians and other critics to bash the currency. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/05/bitcoin_ddos_analysis/

Australia’s Federal Police (AFP) has announced a 17-year-old has been charged for alleged crimes undertaken in the name of Anonymous.

The AFP has issued a statement about the arrest, but won’t say anything else on the matter.

The statement “A 17-year-old youth appeared in Parramatta Children’s Court on Friday (5 April 2013) to face charges relating to unauthorised access to computer data.”

“The juvenile is suspected to be a member of the online issue motivated group ‘Anonymous” and allegedly committed serious offences on their behalf.”

The AFP says the accused was charged with the following:

• “Six counts of unauthorised modification of data to cause impairment, which carries a maximum penalty of 10 years imprisonment;
• One count of unauthorised access with intent to commit a serious offence, which carries a maximum penalty of 10 years imprisonment;
• One count of possession of data with intent to commit a computer offence, which carries a maximum penalty of 3 years imprisonment; and
• Twelve counts of unauthorised access to restricted data, which carries a maximum penalty of 2 years imprisonment.”

The statement also says the youth’s home was searched in November 2012. The Reg has no way of knowing if the arrested Anon worked on operations targeting Australia or other nations, but the appearance in a local court suggests onshore issues. If that’s the case, the most high-profile Anonymous attack in Australia during 2012 saw the release of customer records belonging to telco AAPT in August, as part of a protest into Australia’s consideration of data retention laws.The last three charges listed fit the AAPT incident quite nicely.

The accused will appear in court again on 17n May. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/05/australian_federal_police_charge_17_year_old_anon/

Analysis The massive 300Gbit-a-second DDoS attack against anti-spam non-profit Spamhaus this week didn’t actually break the internet’s backbone, contrary to many early reports.

The largest distributed denial-of-service (DDoS) assault in history began on 18 March, and initially hit the Spamhaus website and CloudFlare, the networking biz hired by the spammer-tracking outfit to keep its systems online, at 90Gbps. After failing to knock the organisation offline, the attackers targeted CloudFlare’s upstream ISPs as well as portions of the networks at internet traffic exchanges in London and Amsterdam.

The volume of this second-wave attack, which began on on 22 March, hit 300Gbps, an unnamed tier-1 service provider apparently told CloudFlare.

By far the largest source of attack traffic against Spamhaus came from DNS reflection, which exploits well-meaning, public-facing DNS servers to flood a selected target with network traffic – this is opposed to the usual tactic of using a huge botnet army of compromised computers.

DNS reflection attacks involve sending a request for a large DNS zone file to a DNS server; the request is crafted to appear as though it originated from the IP addresses of the victim. The server then responds to the request but sends the wad of data to the victim. The attackers’ requests are only a fraction of the size of the responses, meaning the attacker can effectively amplify his or her attack by a factor of 100 from the volume of bandwidth they control.

CloudFlare reckons there were 30,000 DNS servers involved in the attack against Spamhaus, which might have been launched from only a small botnet or cluster of virtual servers. The attack against Spamhaus and CloudFlare proved there is a serious design flaw in the underpinnings of the internet, one that security experts such as Team Cymru and others have been warning about for years – although the use of DNS servers in DDoS attacks is rare, Rob Horton from NCC Group told El Reg.

The open DNS server problem is both a huge and under-reported issue involving 21.7 MILLION DNS resolvers that can be abused to launch equally ferocious attacks in future.

But the good news is that fixing the problem only requires small changes in configuration files that take only minutes. Everybody El Reg has spoken to agrees there’s a problem with open DNS servers with some even suggesting the easily abused resource may replace botnets as a launchpad for DDoS attacks.

Joakim Sundberg, security solutions architect at security appliance maker F5, commented:

The Spamhaus attack is a demonstration of the kind of DDoS attack I have been expecting for some time: DNS Reflection. DNS Reflection attacks will play a more prominent role in DDoS attacks in the future.

The major driver for this kind of attack is the decreasing number of bots available for rent, with the authorities more effectively cracking down on major botnets. With a lower number of bots now available, hacktivists and other cyber criminals are finding new ways in which to amplify their attacks.

However there’s deep disagreement about to what extent, if any, the DNS reflection attack thrown against Spamhaus and CloudFlare affected the internet more generally.

CloudFlare’s take of The DDoS That Almost Broke the Internet can be found in a blog post that the states the attacks against it and Spamhus eventually spilled over to knacker internet connections across Europe:

Over the last few days, as these attacks have increased, we’ve seen congestion across several major Tier 1s, primarily in Europe where most of the attacks were concentrated, that would have affected hundreds of millions of people even as they surfed sites unrelated to Spamhaus or CloudFlare. If the internet felt a bit more sluggish for you over the last few days in Europe, this may be part of the reason why.

Even the websites of large corporations or hosting providers would be swept away by an attack of this intensity, judging by CloudFlare’s rhetoric. However, this 300Gbps of traffic amounts to heavy congestion on a slip road that didn’t hold up the main flow of traffic across the interwebs.

We understand a massive dip in a graph of traffic flowing through the London Internet Exchange (LINX) on 23 March, a graphic included in CloudFlare’s blog post, is due to a data-plotting glitch and NOT due to the effects of the attack.

Next page: ‘A minor amount of collateral congestion’

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/28/spamhaus_mega_ddos_little_collateral_damage/

The maintainers of the PostgreSQL database have released an urgent patch to cope with a vulnerability that allows remote users to crash servers, while authenticated users can execute arbitrary code.

It’s time for admins to get busy: the Shodan tool identifies around 170,000 servers that are visible from the Internet, here.

As the advisory CVE-2013-1899 notes, an argument injection vulnerability “allows remote attackers to cause a denial of service (file corruption), and allows remote authenticated users to modify configuration settings and execute arbitrary code, via a connection request using a database name that begins with a “-” (hyphen).”

It impacts PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13.

An unauthenticated attacker can initiate a denial-of-service that will leave the server unable to restart after it’s crashed. The technique is to cause PostgreSQL error messages to be appended to “targeted files” in the server’s PostgreSQL data directory – only after the garbage files are removed or the system, is restored from backup will it restart.

The code execution vulnerability is less serious, since the scenario is less likely: ThreatPost states that an authenticated user could attacker a server with the same name as the user, and execute arbitrary code on the server. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/04/postgresql_urgent_patch/

Dumb-as-a-post Bitcoin-mining malware has appeared – bringing further proof that the virtual currency’s hyperbolic trajectory is attracting the sort of late-to-the-party shady speculator that telegraphs a jarring fall.

The malware is currently spreading through a wide-ranging link poisoning campaign being run on Skype, a Kaspersky researcher wrote on Thursday. It is not the first Bitcoin-mining malware that has been detected, but its arrival coincides with a period of intense interest in the currency.

Those who click the links are infected with a virus dropper downloaded from a server in India. Once the machine is infected, many other pieces of malware are sent to the computer from Hotfile.com. The malware concurrently connects with a command-and-control server in Germany.

“So what does malware do? To be honest many things, but one of the most interesting is it turns the infected machine to a slave of the Bitcoin generator,” Kaspersky Labs researcher Dmitry Bestuzhev wrote. “The usage of CPU grows up significantly.”

The dropper is detected by Kapersky as “Trojan.Win32.Jorik.IRCbot.xkt,” he wrote.

Bitcoin is a virtual currency whose supply is algorithmically limited. Bitcoins are created not through a central monetary agency as with traditional currencies, but by computers performing the many CPU-intensive crypto calculations that make the Bitcoin blockchain – the transaction record that lets people have confidence that Bitcoins aren’t being used multiple times, and the supposedly solid fiscal machinery upon which the whole currency rests.

The malware detected by Kaspersky enslaves user computers and forces their CPUs to work on the blockchain, with the script kiddies hackers hoping for a Bitcoin payoff.

“Bitcoin mining is the process of making computer hardware do mathematical calculations for the Bitcoin network to confirm transactions and increase security,” the official Bitcoin website reads. “As a reward for their services, Bitcoin miners can collect transaction fees for the transactions they confirm along with newly created bitcoins.”

This is all very tricky, so a key sign of your computer being infected is if a process named “bitcoin-miner.exe -a 60 -l no -o http://suppp.cantvenlinea.biz:1942/ -u [email protected] -p XXXXXXXX” is consuming the overwhelming proportion of your machine’s available CPU, Bestuzhev wrote.

Subtle.

The malware has the fingerprints of script kids, rather than sophisticated hackers, and its appearance can be taken as another sign of a dangerous hypegasm forming around the currency as its valuation soars. At the time we hit the big red Publish button, a single Bitcoin was worth $132, having fallen back from a record high of $147. Just last week the currency was at $75, and at the start of this year it was trading at a piddling $20.

Though the value of Bitcoin with respect to the world’s traditional currencies has risen dramatically, there hasn’t exactly been a boom in the amount of places that actually accept it – some companies and services are getting good headlines by saying they accept Bitcoin, but you can’t walk out to the local newsagent and buy milk with it… yet. ®

Bootnote:

Many analysts are scratching their heads as to why a hard-to-trace currency that cannot be devalued by profligate “monetary easing” (that’s printing money to you and me) is doing well at a time when all the Western nations are vigorously inflating their own currencies to try and spend their way out of an ongoing financial apocalypse. We can hazard a few guesses…

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/05/bitcoin_mining_malware_appears/