STE WILLIAMS

pIt sounds like a privacy advocate’s worst nightmare: fire an infrared laser, scan the object, get its time-of-flight, and you can create a 3D imaging system that works at up to a kilometre distance.

It’s not a completely new idea, of course. It is, in fact, quite close to how we use airborne LIDAR to get high-resolution digital elevation models. However, using infrared “ToF” or time-of-flight imaging for photography poses challenges, most particularly in getting a decent reflection from clothing and other soft materials.

A team led by University of Edinburgh professor Gerald Buller believes it has solved the challenges by improving the sensitivity at the receiver – down to the single photon level. As a result, the group claims it’s able to resolve the depth of each pixel down to millimetre accuracy.

The scanner uses 1,560 nm pulses which the researchers say works well in the atmosphere and doesn’t get drowned out by sunlight.

Applications could include “target identification”, a wonderful euphemism for “working out of there’s someone you want to shoot hidden in the foliage”, as well as remote vegetation monitoring, and watching the movement of rock faces if they’re in danger of collapse. With further development, Heriot-Watt University Research Fellow Aongus McCarthy says, the system could end up both portable and with a range of up to 10 Km.

The infrared imaging at 910 m from the subjects: longer processing time

yields greater resolution. Source: Optics Express

The work has been published in Optics Express (abstract).

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/05/laser_3d_distance_imaging/

Analysis An investigation by the Drug Enforcement Administration (DEA) in February was temporarily thwarted when the surveillance targets began using Apple’s encrypted iMessage system, according to a document leaked to Cnet.

The intelligence note entitled “Apple’s iMessages: A Challenge For DEA Intercept,” reported on an investigation by the DEA’s San José branch office found that it was “impossible to intercept iMessages between two Apple devices” using “traditional trap and trace devices, pen register devices, or wiretapping data collection through Title III interceptions.”

Messages between iMessage and non-Apple products are sometimes tappable because they are transmitted via SMS protocols the memo states, but the most efficient method in such cases is to eavesdrop on the non-Apple end of the communication. The memo warns that records obtained from cooperative network providers may not show iMessage traffic.

“Think Criminal”

So is Apple’s latest iPhone going to be the smartphone of choice with those bent on a life of crime? Possibly, but before Apple Stores are flooded with shady types buying multiple handsets with cash, there’s a lot left out of this leaked intelligence report – and the canny criminal might want to hold off for a second.

Apple’s been rather quiet about iMessage since its launch in 2011 as a point-to-point encrypted communications system outside of carrier control. Based on the company’s sole Black Hat briefing on the topic, the iOS system uses a unique identifier burned into the processor for identification, has full AES and SHA support, and uses a hardware encryption engine to save on battery life.

That’s a lot of grunt under the hood, but the math has to be there to back it up. Cupertino started hiring a lot of security talent for the last few years and the company has obviously seen benefits to its setup.

But even if the iMessage encryption is bulletproof, then what? The DEA will simply go to Apple with a court order and ask for its cooperation, and it’s highly probable that Apple will give it up. We don’t know, because unlike Google, Twitter, and Microsoft, Apple doesn’t have a transparency report showing how often it gets – and complies with – these requests.

But this is also the DEA we’re dealing with, and while it has some good techies, the best computer talent lies elsewhere in the federal government, and the agents were most likely using tools they were given. El Reg wonders how the spooks at the National Security Agency are handling this iMessage decryption.

Cloud still outside CALEA’s clasp

The problem for federal authorities is that iMessage isn’t covered by the 1994 Communications Assistance for Law Enforcement Act (CALEA).

CALEA was originally set up to require telecommunications companies to provide law enforcement with the ability to tap into a target’s calls with a court order. In 2006 this was extended to cover VoIP and broadband traffic, but it doesn’t cover companies such as Apple.

Law enforcement would like to change that, and there’s a concerted push on to extend CALEA to include such wiretap facilities in any communications software that is used in the US. Last month FBI general counsel Andrew Weissmann told the American Bar Association he wanted CALEA extended to cover everything down to the chat function on a game of online Scrabble.

“Those communications are being used for criminal conversations,” he said.

Weissmann said that the intelligence community is currently drafting proposals for new spying powers to be built into national legislation, and that these would be introduced as “a top priority this year.” He declined to give specifics about the laws, but said it was “something that there should be a public debate about.”

It’s not just Apple in the firing line if this happens. Private startups such as Silent Circle are using similar systems for hardened communications on a subscription basis. The demand is certainly there, not just from nefarious types but also from people who want privacy no matter where they travel.

Those companies may now have to provide a backdoor if legislation does go ahead, and that’s going to make their products a lot less appealing if the US government has full access. As for the rest of us, well if you’ve done nothing wrong then you’ve nothing to hide – right?

Wrong. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/04/leaked_imessage_memo_dea_denied/

Organisations are getting hit with a malicious email attachment or web link designed to evade legacy defences up to once every three minutes, according to a report by security biz FireEye.

FireEye’s latest advanced threat report states tech businesses are at the forefront of cyber-espionage malfeasance, with one event per minute. Some industries are attacked cyclically, while some verticals experience attacks more erratically.

For instance, China recently listed healthcare as one of the priorities in its 15-year science and technology development strategy for 2006 to 2020. This led to a surge in cyber-espionage campaigns against healthcare firms, FireEye’s Rob Rachwald explains in a blog post on the report.

Spear phishing remains the most common method for launching advanced malware campaigns during the second half of last year. Businesses targeted by spear phishing emails generally fall into three general categories: shipping and delivery, finance, and general business.

Zip files remain the preferred file of choice for malware delivery, featuring in 92 per cent of attacks. But blocking or quarantining .zip files at the gateway, even if it doesn’t interfere with legitimate business processes, isn’t really the way ahead.

Attackers are getting even smarter by coming up with sneakier way to evade detection. For example, FireEye has uncovered examples of malware that execute only when users move a mouse, a tactic which could dupe current sandbox detection systems since the malware doesn’t generate any activity.

In addition, malware writers have also incorporated virtual machine detection as a means to frustrate security analysis of their wares and DLL files to improve persistence. By avoiding the more common .exe file type, attackers using DLL files stand a better chancing of avoiding detection for longer.

FireEye’s report (registration required), published on Monday, is gathered from 89 million malware events and direct intelligence uncovered by the FireEye research team. It reckons the latest generation of cyber-espionage attacks routinely bypass traditional defences such as firewalls, next-generation firewalls, IPS, anti-virus and security gateways.

FireEye has, of course, a vested interest in highlighting the deficiencies of typical corporate defences in talking up the need for its cloud-based security platform. But that doesn’t mean its general assessment that advanced persistent threat crews are running rings around corporate defenders is wrong.

“This report provides an overview of how attacks have become much more advanced and successful at penetrating networks, regardless of industry,” said Ashar Aziz, FireEye founder and CTO. He added:

“As cybercriminals invest more in advanced malware and innovations to better evade detection, enterprises must rethink their security infrastructure and reinforce their traditional defences with a new layer of security that is able to detect these dynamic, unknown threats in real time.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/04/apt_trends_fireeye/

Hacktivist collective Anonymous and – unusually – some of its enemies have all turned their ire against government websites, propaganda outlets and social media profiles linked to the North Korean regime.

DDoS attacks were launched on Nork government websites and Air Koryo, the country’s airline, after North Korea threatened to restart a mothballed nuclear reactor as part of an escalation in tensions that last week led to North Korea issuing a statement of war against South Korea. Notorious US patriot hacker “th3j35t3r” (“the Jester”) claimed responsibility for the attack against Air Koryo and other sites (here and here), so it’s not just elements of Anonymous that are involved in the attacks but also one of its principal antagonists in cyberspace.

The Twitter account associated with North Korean propaganda outlet Uriminzokkiri was also hit, seemingly by Anonymous as part of Operation Free Korea (OpFreeKorea). Urminzokkiri’s Flickr photo page was hijacked to feature a “wanted” poster mocking North Korean leader Kim Jong-un, the BBC reports.

The hacktivist collective also claimed to have lifted 15,000 usernames and passwords of Uriminzokkiri.com users. The site, hosted in China, is North Korea’s main propaganda portal, and a not infrequent target of previous attacks, The Next Web reports.

Ordinary North Koreans have no access to the wider internet but are allowed access to government websites and other tightly controlled content via a local intranet system called Kwangmyong. Computer ownership in the country is low and a mobile internet service for foreigners visiting the hermit kingdom was recently suspended.

Anonymous is calling for North Korea’s supreme leader Kim Jong-un to resign, democratic elections, and uncensored internet access. ®

Bootnote

The Jester and Anonymous are arch-enemies over issues such as WikiLeaks but have very occasionally found common ground in the past as with attacks against the Westboro Baptist Church.

“Next we’ll be hearing how Anonymous operators are hiding under Kim’s desk unplugging his ethernet cable too?” th3j35t3r commented sarcastically about the latest attacks, linking to a possibly photo-shopped image.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/04/anon_nork_cyber_offensive/

Sophos has plugged security holes in its Web Protection Appliance that could place its customers’ internet connections in the hands of eavesdroppers.

The equipment is supposed to filter out suspicious or harmful web traffic for businesses. But the flaws allowed any unauthenticated user to access sensitive configuration files in the product. These documents contain PHP session IDs for the device’s superusers, which can be used by miscreants to masquerade as a logged-in administrator.

The files also potentially contain plaintext credentials for other systems, such as FTP and Active Directory servers.

Once authenticated, users can execute arbitrary commands with full privileges on the appliance, plant backdoors, and snoop on encrypted HTTPS communications.

Researchers at Austrian firm SEC Consult unearthed the vulnerabilities and reported them to Sophos.

The Web Protection Appliance is fitted between employees and a business’s public internet connection so that all website traffic to and from staff workstations passes through the filter. This makes interception of sensitive information, such as passwords and cookies, possible on compromised appliances.

Grabbing the contents of unencrypted packets would be trivial for a hacker logged into the box, but what about encrypted traffic? Sure enough, the appliance can monitor the contents of HTTPS connections, and it does so by decrypting the data – allowing any infiltrators to snoop on users.

If HTTPS scanning is switched on, the machine holds the private cryptographic key for a Certificate Authority (CA) root certificate that is installed on all workstations within the company. Thanks to the aforementioned vulnerabilities, the attacker can use this key to sign arbitrary SSL certificates that are trusted by the business’s computers, opening them up to man-in-the-middle attacks: the worker’s computer could be fooled into thinking it was communicating securely with a website, such as Google, when in fact it was sending sensitive data to a miscreant’s server.

That’s according to SEC Consult, which revealed proof-of-concept exploits and described the flaws as critical in this security advisory.

Sysadmins are advised to update to upgrade the software in the appliances to version v3.7.8.2 as explained in this announcement by Sophos.

In addition, the vendor told El Reg it rolled out updates to its customers in three phases over a two-week period. It said in a statement:

As a security company, keeping our customers safe is our primary responsibility. Improving protection is, of course, key as is ensuring the security of our products. We achieve this through rigorous and regular testing as well as welcoming findings from independent security advisers.

On 21 February 2013, Sophos was contacted by Stefan Viehböck of SEC Consult Vulnerability Lab. His report outlined vulnerabilities discovered by Wolfgang Ettlinger in the web-based user interface (UI) of the Sophos Web Appliance.

The issues reported were resolved with the 3.7.8.2 release of the Sophos Web Appliance software in March 2013. This went to an initial group of customers on March 18, to a larger group on March 25 and will be made available to all remaining customers on April 1.

Sophos added that it “greatly appreciates” the work of Wolfgang Ettlinger, Stefan Vieböck and other security researchers. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/04/sophos_fixes_web_appliance_security/

Audacious crooks have infected hundreds of shopping tills and cash machines with malware to swipe sensitive debit and credit card data, we’re told.

Researchers at Russian security firm Group-IB said the software nasty is called Dump Memory Grabber, which targets computers running Microsoft Windows. It can swipe information about cards issued by US banks as well as Nordstrom-branded cards. The malware is primarily targeted at point-of-sale terminals.

Several hundred internet-connected tills and ATMs in America are infected, according to Group-IB. The malware is written in C++ and designed to read the RAM of compromised systems attached to card readers; it picks out the sensitive financial data and then uses FTP to upload the account numbers, names, card expiry dates and other details to a server under the control of unidentified swindlers.

This information is used to make counterfeit credit or debit cards. Group-IB reckons that the hole-in-the-wall machines and tills are largely being infected by corrupt insiders.

The author of Dump Memory Grabber even recorded an instructional video to teach wannabe forgers how to use the malign tool, Security Week reports. Various clues suggest that a Russian hacker using the pseudonym “Wagner Richard” created Dump Memory Grabber as a sideline to his career as an internet hitman: the malware programmer will, for a fee, use a “site stressor” tool to take down a website – a distributed-denial-of-service attack in other words.

Late last month security firm McAfee reported that a similar trojan called VSkimmer was being traded in carding forums. This malware can detect card-reader hardware attached to infected Windows computers, grab all the banking information it can, and upload the swiped data to a control server. The trojan appears to be a successor of an earlier cybercrime tool called Dexter, which also targeted card payment terminals running Windows.

Group-IB has shared its research on Dump Memory Grabber with US law enforcement agencies, affected banks and Visa. A summary of Group-IB’s dossier, complete with screenshots of the malware’s control panel, can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/04/atm_malware/

Crooks are branching out beyond bank ATMs by installing card skimming devices on a payment terminals ranging from train ticket kiosks to parking meters, according to European anti-fraud experts.

At least five countries have logged skimming attacks against railway, bus or metro ticket machines, the European ATM Security Team (EAST) warns. Further attacks have been recorded against car parking meters, while a further three countries have seen skimming devices fitted to point-of-sale terminals.

Traditionally, skimming devices have had the ability to store card data, which is sometimes used in conjunction with pinhole cameras or other techniques to record users’ keystrokes. Captured data is then sent to fraudsters, using mobile phone data networks. More recently crooks have adopted Bluetooth devices as a means to transmit stolen card data and corresponding PINs.

Looking further afield, EAST also reports the deployment of fake ATM fascias (placed over genuine ATMs) as part of plastic card scams in Latin America. The fake fascias include screens giving crooks the ability to display messages to victims.

Typically, marks are (falsely) informed that a terminal is “out of order” when they insert a card and attempt to withdraw cash. The fake unit, which comes with a built-in card skimmer, also contains a built-in keypad that fits over the real keypad and makes it much easier to record PINs.

Most skimming-related card fraud stems from countries that are yet to introduce chip-and-PIN cards such as the US, Brazil, Mexico, Peru and Thailand. Skimming attacks carried out in Europe are used to steal the information needed to make counterfeit cards, which are then used to make withdrawals in countries yet to adopt the EMV (short for Europay, MasterCard and Visa) standard. That’s because forging a magnetic strip is simplicity itself, while cloning a chip is extremely difficult.

European banks are attempting to combat this type of fraud by introducing geo-blocking on debit and credit cards.

Crude blags involving theft of cash machines or forcing them open and looting their contents are still prevalent, EAST notes.

“Ram raids and ATM burglary were reported by nine countries,” says the report. “Seven countries reported explosive gas attacks, and this form of attack appears to be increasing across Europe.”

Other scams include the use of cash claws designed to trap cash withdrawals made by genuine customers. The money is not visible by the mark because it’s held behind the cash slot. The ATM will log a fault but is physically unable to retrieve the cash back into the dispenser because it is trapped in the claw. Crooks return after customers have left to force the shutter open and obtain both the claw and any cash it has caught.

“Cash trapping incidents were reported by eighteen countries, with significant increases being reported by three of them,” EAST reports. “Usage of the cash claw for cash trapping is spreading and this device is also being used to assist with transaction reversal fraud.”

Pictures of cash claws, along with a more detailed description of this type of attack, can be found in a blog post by cybersecurity blogger Brian Krebs here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/03/card_skimmer_atm_fraud_trends/

ICANN’s big generic top-level domain (gTLD) rollout, planned for April 23, needs to be delayed because the system isn’t ready, Verisign and others are warning – and ICANN itself has told The Register that the first gTLD domains won’t come online until at least August.

“April is a launch date in the sense that it’s a public launch, a media launch, an awareness-raising exercise – but we don’t actually sign contracts on the 23rd,” ICANN’s VP of security Jeff Moss told us. “Timelines will be adjusted depending on when registry and clearing houses are ready. It’s going to be August, I think, maybe.”

Last week, Verisign issued a public letter and white paper going over some of the failings of the gTLD system as it stands. It cited problems with the Trademark Clearing House and Emergency Back End Registry Operator (EBERO) disaster-recovery system that were still not sorted out, and said that in some cases it would take three months or more to fix certification issues.

“Adequate buffers should exist in ICANN published timelines that account for implementation, internal testing, security auditing and vulnerability testing, pilots and early field trials, and deliberate transition to operations; it’s apparent little consideration has been given to this in the current timelines published by ICANN,” the report states.

“In order to ensure a successful implementation of each new gTLD, it is essential that proper planning be conducted in advance.”

Moss told El Reg that there was nothing new in the Verisign report that wasn’t already under published discussion. A maximum of a thousand new gTLD domains (out of nearly 2,000 registered) are going to be rolled out per year, but only after all of these security problems have been fixed.

“We’re really close partners with Verisign,” Moss explained. “We work with them constantly. We’ll work with them on any issues – neither one of us wants to be known as the company who wrecked the internet.”

Suitable caution is being observed, he said. “In our world we call it SSR; security, stability resilience. If there’s a big SSR problem, then that stops the whole freight train until we can address those concerns.”

Verisign isn’t the only one raising security issues. In an open letter last month, PayPal too expressed concerns of serious security failings in the gTLD system. But Moss explained that this was normal and that where companies find issues like this, ICANN encourages them to publish it so as to encourage the development team.

But outside of the security arena there are other calls for the gTLD rollout to be slowed down. The Association of National Advertisers (ANA), representing major global brand advertisers, has also called for the process to be stopped until companies get better protection from cybersquatters.

Dan Jaffe, the ANA’s VP of government relations, told The Register that if you add up gTLD registration fees, domain buying to protect brands, and the costs of legal action against those who try to piggy-back on them, business could face a billion-dollar bill for little or no reward.

“When .xxx came out, the most recent one, virtually every college and university signed up for .xxx,” he said. “Why? Not because the universities want to do that, but [because they] didn’t want their name associated with that domain – as did many, many companies. Now we have .wtf, .sex, .gripe, and other sites that consumers could be tricked into.”

It looks like the ANA and others will have a bit more time on their hands now that the system has security issues to sort out. Ultimately, no one’s going to be perfectly happy with the gTLD system, but by August a few more wrinkles should have been sorted out.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/02/gtld_flaws_verisign_icann/

Google’s top privacy wonk Alma Whitten is stepping down from her role at the company after three years in the job.

Her departure comes just weeks after Anne Toth, who was poached by Whitten from Yahoo! in 2011 to head up privacy at Google+, departed from Mountain View for personal reasons.

Forbes reported that Whitten was retiring from the ad giant. She was promoted by Google in the aftermath of a number of high-profile privacy blunders, including a major cock-up with the company’s controversial fleet of Street View cars that slurped payload data from unencrypted Wi-Fi networks around the world.

Whitten’s team was later tasked with pulling together more than 70 different privacy policies into one main terms-of-service, which led to an outcry from some of Google’s users in March 2012 when the changes were implemented.

Google told Forbes:

During her 10 years at Google, Alma has done so much to improve our products and protect our users.

The privacy and security teams, and everyone else at Google, will continue this hard work to ensure that our users’ data is kept safe and secure.

Toth, who recently quit the company to care for her dying mother, was critical of reports covering Whitten’s resignation that flagged up how uneasy it was to be a privacy wonk at Google right now:

She did a lot of good at Google. Could she have done more? I really don’t know. Privacy can certainly be a thankless job as this shows. But I was glad to know Alma and glad to have gotten to work with her. I wish her the very best. I know Google is better for her having worked there.

Whitten will serve out her notice at Google before handing the job over to Lawrence You, who will head up the privacy and security team at the company. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/02/alma_whitten_quits_google/

Spammers are using Google Translate to disguise links to dodgy websites.

All sorts of internet pond life, particularly purveyors of blue pills purporting to pump blokes’ performance between the sheets, are relying on the reputation of Google’s language translation service to smuggle web links through mail filters. Security researchers at Barracuda Networks, which collects and analyses samples of spam, clocked messages attempting to defeat reputation filters using this tactic.

When a user clicks on a link in the junk mail, the web browser and Google are instructed to follow a chain of pages until the dodgy website is reached.

The link in the spam email points to Google Translate, which can act as a URL redirector. Google Translate is told to fetch a second address embedded in the first link. This second address is a URL shortened by a service such as Yahoo!’s y.ahoo.it. This shortened address is expanded and followed by Google’s systems to a hacked website, which contains a small bit of text that Google Translate ultimately tries to process.

But the compromised website also includes code that breaks the browser out of the Google Translate iframe and redirects the user, finally, to the rogue online pharmacy shop. It’s a multi-stage obfuscation process designed to fox anti-spam software, which may simply inspect the message and approve it because all it can see is the Google link.

Barracuda researchers Dave Michmerhuizen and Shawn Anderson found that the search giant’s translation service is blocking many of the dodgy links, but the tactic is nonetheless a concern because it may easily be used to lure users into visiting malware-tainted websites.

“We’ve tested many of these links in the lab, and it appears that Google may be implementing code that defeats frame-busting, but our tests are inconclusive.  Some links now redirect to google.com, while others still redirect to pharmacy sites.  We certainly hope this technique is not discovered by malware distributors,” the Barracuda researchers explained in a blog post.

“In any case, it’s worthwhile to know that spammers are taking these extreme steps to hide what they’re doing, and no matter how good your spam filtering solution you have to be especially aware of emailed links.  In short, don’t click on them.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/02/google_translate_spam_abuse/