STE WILLIAMS

Two crooks posing as online ticket touts have been jailed for swindling nearly £3m out of pop fans’ pockets.

Andrew Lagan, 44, from Middlesborough, and Gary Agar, 44, from Welling, have started a four-year stretch after they were found guilty of two counts of conspiracy to defraud and one count of money laundering.

The duo set up the website Hydeparkconcerts.com to flog tickets for big gigs and similar events. Their victims handed over their credit or debit card numbers to pay for passes and received emails from an outfit called Good Time Entertainment confirming the sales.

But two to three weeks later, music fans would receive an email from “customer services” informing them that the promised tickets would not be forthcoming, supposedly because Good Time Entertainment had been let down by its supplier. No refunds were offered and victims were told they would need to go back to their banks or credit card companies for reimbursement.

In reality, there were never any tickets available. The fans’ money passed through a number of overseas bank accounts before it was eventually trousered by Agar and Lagan.

The pair’s business provoked numerous complaints which sparked a police investigation. The conmen were cuffed in 2010 by Met detectives working on Operation Podium, which tackled ticket touts in the run up to last year’s Olympic and Paralympic Games.

Investigators reckoned the Hydeparkconcerts.com pair pinched almost £3m from the public. The con men were sentenced on Friday at Harrow Crown Court.

Detective Superintendent Nick Downing said: “These two fraudsters deliberately exploited the public demand for tickets for high profile events, taking money from people for tickets which they were not going to supply, and defrauding banks and credit card companies who were forced into reimbursing victims for their loss.

“If you are buying tickets for events, make sure that you only buy from official sites to ensure that your ticket is genuine and that you ultimately get to see the event you have paid for.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/28/ticket_touts_jailed/

More than two in three exploits kits that attempt to inject malware into web surfers’ computers were developed in Russia – and at least one in two exploit rather old vulnerabilities.

Blackhole 2.0 is the most often used hacking toolkit – installed on websites to attack and takeover visitors’ computers – but it targets fewer software security holes than rival cybercrime kits. That’s according to a fresh report by managed security biz Solutionary.

Contrary to hype that exploit kits target unpatched flaws in products, Solutionary found the majority (58 per cent) of exploited vulnerabilities were more than two years old.

The company reviewed 26 commonly used kits and discovered code abusing security bugs dating as far back as 2004, evidence that old vulnerabilities continue to be mined for profit for cybercrooks. Criminal hackers typical compromise otherwise legitimate websites to plant hacking toolkits and distribute fake antivirus software, banking Trojans and other nasties.

Researchers at the security firm concluded that antivirus products cannot detect 67 per cent of malware being distributed, a finding that it likely to be controversial. The practical upshot is that surfers would be wise to regularly update applications – especially Adobe Flash, web browsers and the Java runtime – rather than rely on security scanners to block any attacks that come their way.

“Exploit kits largely focus on targeting end-user applications,” said Rob Kraus, a director of security research at Solutionary. “As a result, it is vital that organisations pay close attention to patch management and endpoint security controls in order to significantly decrease the likelihood of compromise.”

A complete copy of Solutionary’s Q4 2012 threat report can be found here (registration required). ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/28/exploit_kits_mine_old_vulns/

A Scottish Power Twitter account was hacked this morning to usher customers into the clutches of web miscreants.

Many of the 2,000-plus followers of the UK utility’s @SP_EnergyPeople feed received malicious direct messages tempting them to visit a phishing website designed to harvest Twitter login details.

Scottish Power quickly regained control of its account, which is used to answer customer queries, and restored service to normal. It apologised for the security snafu, which coincides with the celebration of Burns Night* north of the border.

“Seems like a lot of hacked accounts last night. Apologies once again, passwords etc have all been reset and ‪#twitter‬ have been notified,” it said.

Corporate Twitter accounts can be hijacked or joyridden in a number of ways: easily guessable passwords an allow mischief-makers to compromise feeds or staff could fall victim to a phishing attack, for example. Account takeovers on Twitter can be used to lure web surfers into identity-theft websites or promote diet pill scams, both of which have become “very common”, a researcher at security biz Sophos told El Reg. ®

“The spammed Tweets include a bit.ly URI which directs users to a phish site masquerading as Twitter,” explained Sophos researcher Fraser Howard. “Bit.ly have already blocked the URI, and so any users now following that link will see the bitly block page,” he added. ®

* A celebration of the life of 18th century Scottish poet Robert Burns – generally consisting of traditional music and dance, poetry recitals and often a slap-up dinner.

Bootnote

Thanks to Reg Reader Paul M for the tip.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/25/scottish_power_twit_hijack/

Scores of programmers uploaded their private cryptographic keys to public source-code repositories on GitHub, exposing their login credentials to world+dog. The discovery was made just before the website hit the kill switch on its search engine or, more likely, the service collapsed under the weight of curious users trawling for the sensitive data.

The ability to search for private Secure Shell (SSH) keys on the popular open-source code haven came to light yesterday in tweets and other messages on social networks. At least some of the credentials can still be found using Google and other external web crawlers.

GitHub has more than 2 million users but only a minuscule proportion made the daft mistake of uploading their private instead of just their public crypto keys. Private keys reportedly exposed included the SSH login for a major website in China.

The snafu could allow anyone to surreptitiously log into affected developers’ GitHub accounts to alter their projects and gain access to any other online services that use their leaked keys.

The website improved and revamped its search functionality on Wednesday, an improvement that probably enabled the ability to find .ssh/ files.

Some security watchers commented that GitHub could have prevented users uploading private crypto keys with well-chosen filter – for example blocking public uploads of ~/.ssh/ and ~/.gnupg data – but that doesn’t excuse developers for doing something so silly.

Those exposed by the blunder should replace their compromised keys sooner rather than later. SSH, in simple terms, is typically used to provide encrypted access over the net to accounts on Unix-style operating systems.

A blog post by Sophos on the incident, illustrated by screenshots and private and public SSH keys, can be found here.

GitHub’s status page showed its search functionality was unavailable, implying that this was due to a minor system failure rather than a deliberate move to minimise harm. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/25/github_ssh_key_snafu/

A coalition of activists, privacy organizations, journalists, and others have called upon Microsoft to be more forthright about when, why, and to whom it discloses information about Skype users and their communications.

In an open letter published on Thursday, the group argues that Redmond’s statements about the confidentiality of Skype conversations have been “persistently unclear and confusing,” casting the security and privacy of the Skype platform in doubt.

“Many of its users rely on Skype for secure communications – whether they are activists operating in countries governed by authoritarian regimes, journalists communicating with sensitive sources, or users who wish to talk privately in confidence with business associates, family, or friends,” the letter explains.

Among the group’s concerns is that although Skype was founded in Europe, its acquisition by a US-based company – Microsoft – may mean it is now subject to different eavesdropping and data-disclosure requirements than it was before.

The group claims that both Microsoft and Skype have refused to answer questions about what kinds of user data the service retains, whether it discloses such data to governments, and whether Skype conversations can be intercepted.

The letter calls upon Microsoft to publish a regular Transparency Report outlining what kind of data Skype collects, what third parties might be able to intercept or retain, and how Skype interprets its responsibilities under the laws that pertain to it. In addition it asks for quantitative data about when, why, and how Skype shares data with third parties, including governments.

As the letter points out, several other companies already provide such reports, including Google, Twitter, and Sonic.net. Google’s most recent report showed government requests for user data from online companies have increased 70 per cent in just three years.

Microsoft bought Skype in 2011 for $8.5bn and has since been working to make the service a key pillar of its communications strategy. Most recently, Microsoft announced that it would shut down its Windows Live Messenger service in March and urged all current Messenger users to switch to Skype.

Redmond’s strong-arm tactics haven’t pleased Messenger fans, but they’ve impressed privacy advocates even less, given the ambiguity about what information Skype discloses.

“On the eve of Microsoft’s integration of Skype into many of its key software and services, the time has come for Microsoft to publicly document Skype’s security and privacy practices,” Thursday’s open letter reads.

The letter is co-signed by a total of 61 individuals and 45 organizations, including such groups as the AIDS Policy Project, Cyber Arabs, DotConnectAfrica, the Egyptian Initiative for Personal Rights, the Electronic Frontier Foundation, Reporters Without Borders, the Thai Netizen Network, and the Tibet Action Institute.

When The Reg reached out to Redmond for comment, a spokesperson said Microsoft was reviewing the letter.

“Microsoft has an ongoing commitment to collaborate with advocates, industry partners and governments worldwide to develop solutions and promote effective public policies that help protect people’s online safety and privacy,” the company said in an emailed statement. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/25/activists_demand_skype_transparency/

Public genome data is a significant risk to individuals, according to research led out by Yaniv Elrich, a geneticist at the Whitehead Institute for Biomedical Research.

The team that Elrich led was able to de-anonymise genome data using only public information and careful Internet searches. A little chillingly, individuals could be associated with patrilineal genetic characteristics, even if they weren’t in the databases. A family member’s presence in the database can be enough, if they’re related in the male line and carry the same surname.

Working with data published in two public genomic databases, Ysearch and SMGF, Elrich demonstrated the privacy risk by matching chromosome data with 50 individuals, in a paper published in Science (abstract here, full paper available free with registration).

Among the genome data recorded in the databases is a genetic marker called “short tandem repeats” (for which genetic science hasn’t yet identified a specific purpose), which are passed down the male line.

As the paper notes, it had been assumed that listing surnames in the databases didn’t place individual identity at risk, since surnames “could match thousands of individuals”. However, the genome data has become a genealogy tool as well, in databases such as YBase.

DNA sequencing pioneer Dr Craig Venter volunteered as a test subject in the research. With only the relevant DNA sequence, Dr Venter’s age, and the US state where he lives, Erlich was able to retrieve just two possible records – one of which was Dr Venter.

With a known surname, the searches become even more accurate: “Combining the recovered surname with additional demographic data can narrow down the identity of the sample originator to just a few individuals,” Erlich states in the paper.

“Surname inference from personal genomes puts the privacy of current de-identified public data sets at risk”, it continues.

“In five surname recovery cases, we fully identified the CEU* individuals and their entire families with very high probabilities … data release, even of a few markers, from one person can spread through deep genealogical ties and lead to the identification of another person who might have no acquaintance with the person who released his genetic data”. ®

*CEU refers to a particular genetic dataset: “multigenerational families of northern and western European ancestry in Utah who had originally had their samples collected by CEPH (Centre d’Etude du Polymorphisme Humain)”. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/24/anonymous_dna_traces_individuals/

Symantec’s latest CEO plans a “revolution” to create a 4.0 version of the firm by slashing bureaucracy, shaking up its portfolio, renewing a direct sales push in the enterprise, and cutting staffers.

An insider told Bloomberg that the reorganisation could impact up to 1,000 employees. The plan was formed by Steve Bennett, who spent his first six months in the job on a globe-spanning whistle-stop tour meeting partners, customers and analysts to hear feedback on the firm.

The change is starting at the top: Bennett, who seized the reins of global sales in the last quarter and is also company president, will step down as chairman. Board director Dan Schulman will slip into the chairman’s office.

Bennett, the former boss of Intuit who replaced ousted Symantec CEO Enrique Salem in July, said he had tried to understand why the business was under-performing. Bennett has also created a new “Office of the CEO” – a team of execs including a CFO, president of products and services and a COO – to help him make decisions more effectively.

Feedback from some quarters was that Symantec is a “company of promises … probably unfilled promises, and that’s why we are going to change with Symantec 4.0,” said Bennett.

He added the biz has “great point solutions built mostly from acquisition. We haven’t fully integrated the value of these different point solutions to solve important customer problems”.

Symantec is going to focus on 10 “key areas” that combine existing tech and services into “solutions”, but said customers will be able to buy individual products. This process will take two years, he added.

Bennett claimed Symantec is not delivering “technical support experiences” across the globe and dealing with that is work in progress.

Like many large companies the software maker is also hamstrung by bureaucracy, the boss admitted.

“We don’t have a system; our process, our technology, the tools we have, our knowledge management, our sales force is not empowered and freed up to sell. They’re doing too much administrative stuff, they’re doing too much internal negotiation,” he said. The organisation is a “bit demoralised” because some hard-working folk “felt like they were losing” and Symantec has become an exporter of talent”, the chief added.

Sales and channel plans emerge

Bennett said the software biz will continue to “rely heavily on the [distribution] channel to manage current customers” and revealed this will “free up” the direct sales guys to generate “new business”.

At the top of the classic sales pyramid, in the corporate enterprise, Bennett said the firm would deploy “Symantec resources calling directly on these customers with partners involved on a customer-led basis”.

“On commercial, we’re basically going to have self-contained teams focused on the channel, working with our partners to grow their business and grow our business in collaboration with a philosophy that says ‘we’re going to work together to win in the marketplace, and we’ll split the economics in some way that’s fair’.”

He said sales peeps at the coal-face will be given “greater empowerment” as Symantec cuts the lines of report: “As such there will be fewer executives and middle management positions, resulting in a reduction in the workforce. This process is expected to be completed by the end of June 2013.”

This will result in estimated severance payments of roughly $275m in fiscal 2014.

Symantec’s financial numbers under the spotlight

The company this week filed results for fiscal Q3 ended 28 December with turnover up 4 per cent year on year to $1.79bn – the highest organic growth rate seen in more than four years.

There was a hiccup in the consumer market – sales slipped 1 per cent – but this was more than offset by gains in the Security Compliance and Storage and Server Management units.

The bottom line didn’t fare as well, falling 12 per cent to $212m and clearly this, past quarters numbers, and the feedback from customers, has spooked Symantec.

“We have tough competitors,” said Bennett, “so this work won’t be an evolution. We can’t get there through incremental steps to try and move to where we need to be. So no evolution, Symantec 4.0 is all about a revolution.”

As for rumours that Altiris will be offloaded, there was no word from Symantec of a sell-off. ®

Article source: http://go.theregister.com/feed/www.channelregister.co.uk/2013/01/24/symantec_restructure/

A British member of the hacking group Anonymous was jailed today for orchestrating attacks that knocked PayPal, Visa and Mastercard offline.

Christopher Weatherhead, 22, who used the online nickname “Nerdo” and was described by prosecutors as “a high-level operator”, was sent down for 18 months by Southwark Crown Court. Ashley Rhodes, 28, an Anonymous crony, was jailed for seven months.

Another British Anon, Peter Gibson, 24, was given a six-month sentence suspended for two years for playing a lesser role in the online attacks. The fate of a fourth defendant, Jake Birchall, 18, will be decided at a later date.

Judge Peter Testar noted that the distributed-denial-of-service (DDoS) assaults against PayPal and others weren’t aimed at making money and instead were ideological – but said the attacks were targeted and they were meant to cause damage.

“It’s intolerable that where an individual or a group disagrees with a company they should be able to interfere with its activity,” he said.

The attacks were part of “Operation Payback”, an Anonymous campaign that first targeted anti-piracy sites, music labels and movie studios but then moved against financial firms that refused to process donations to Wikileaks after the website published leaked US diplomatic cables.

These DDoS assaults were launched using the Low Orbit Ion Cannon (LOIC), a tool favoured by Anonymous and typically used by dozens if not hundreds of people at a time to overwhelm a web server. The hackers cost PayPal £3.5m ($5.5m), we’re told, and forced it to take more than a hundred staff from parent firm eBay just to keep its website up and running while the attacks took place over a few weeks.

Although Weatherhead, of Northampton, was studying at the town’s university at the time, claimed that he only looked on while others launched the attacks in 2010, the court convicted him of one count of conspiracy to impair the operation of computers in December.

Rhodes of Camberwell in London, Gibson from Hartlepool and Birchall of Chester had already pleaded guilty to the charge.

“In short, the crown says that Weatherhead is a high-level operator, an organiser, a purchaser at the top of the indictment,” Joel Smith, prosecuting, told the court.

‘He’s not the first student to try to change the world and come a cropper’

Mark Ruffell, defending, said that although Weatherhead was responsible for his own actions, the attacks in question were carried out by any number of the 11,000 people logged into the Anonymous chat server, which was used to spread the word about the timings and targets of the DDoS attacks. He also argued that Weatherhead’s first and main motive was youthful idealism and a belief that copyright was wrong.

“He’s not the first student, nor will he be the last, to try to change the world and come a cropper,” Ruffell said.

However, Judge Testar was satisfied that Weatherhead “had a main role”.

“It was apparent to me from those [chat server] logs that he was directing the activity of others. He gave encouragement, he gave technical advice, he nominated targets,” he said.

Smith said that Rhodes and Gibson were heavily involved in “doxxing”, a process that involves dragging up and compiling as much information as possible about a target.

Documents recovered from Rhodes’ computer showed that Weatherhead had congratulated the pair on their research. However, it was accepted by the court that Gibson did not play a part in the conspiracy during the time PayPal, Mastercard and Visa were under attack.

Gibson’s barrister told the court that her client’s involvement with the group was much shorter than the others and that he stopped chatting to the group when he realised that they were going to attack the payment-processing sites.

“Gibson disconnected from the group when he realised they intended to attack financial targets, which he strongly disagreed with, so he broke off all contact. It was a purposeful act on his part and he never returned, he never went back,” she said.

Gibson’s realisation that he was doing wrong was why Judge Testar suspended his sentence.

Rhodes was “known to have a more hands-on approach”, Smith told the court. “He was the only one with a LOIC on his computer and his conversation on IRC seemed to focus more on the attacks.”

Nina Grahame, defending Rhodes, said that he was an “enthusiastic participant” in online Anon conversations, but pointed out that whenever he boasted about an attack, it was the DDoS assault on the website of London nightclub Ministry of Sound rather than the campaign against the financial services.

She also told the court of Rhodes’ ideological stance and said that while he often encouraged others, he never achieved high status himself in the group. In relation to his doxxing, she said that the research he came up with was often information that was freely available.

But Judge Testar said there was “no alternative to custodial sentence” in his case. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/24/uk_anonymous_hackers_sentencing_payback/

Multiple Barracuda Networks products feature an undocumented backdoor, leaving widely deployed data centre kit vulnerable to hijacking.

Undocumented privileged user accounts were found in various Barracuda appliances, including its flagship Spam and Virus Firewall, Web Application Firewall, Web Filter, SSL VPN, and other kit. The accounts cannot be disabled, are hard-wired into the equipment’s operating system, and can be assessed remotely via SSH or the local terminal.

Once logged into a vulnerable machine, hackers can run programs and take over the networking device.

Each appliance uses a firewall to block access to the SSH server, and thus the hidden root accounts, unless the connection originates from an IP address in the private network ranges of 192.168.200.0/24 and 192.168.10.0/24. The firewall rules also allow in network traffic from public IP addresses in the 205.158.110.0/24 and 216.129.105.0/24 ranges – some of which are controlled by Barracuda, but the others are not.

Therefore, an attacker would need to launch an attack from one of these IP addresses at a reachable vulnerable Barracuda device. Network administrators may want to firewall off port 22 completely.

The oversight is tricky to exploit and was discovered by SEC Consult of Austria, which published an advisory on the issue today.

“An attacker is able to access all mentioned Barracuda appliances through weak passwords and gain shell access to execute arbitrary code on the appliances, e.g. in order to install further backdoors, change configuration or take over the system,” explained Johannes Greil of SEC Consult.

“Those attacks are possible from within the two large IP address ranges from the Internet, and two private IP address ranges. One hacked system or malicious company in those networks will allow an attacker to take over all externally reachable Barracuda appliances worldwide.”

Barracuda acknowledged the cock-up but downplayed the risk. It also released a software updated called “Security Definition 2.0.5”, which tightened up its account security but does not remove the hidden root, remote and cluster users because they are needed to administer remote support for customers.

In a related advisory, SEC Consult said Barracuda VPN kit allowed an “unauthenticated attacker to download configuration files and database dumps”.

Steve Pao, VP for Product Management at Barracuda Networks, told El Reg that the undocumented superuser accounts were established for support purposes but admitted the setup was flawed and promised to pay SEC Consulting an unspecified bounty for finding the vulnerability.

“The specific discovery was related to access from the default limited set of IP addresses used by the system to initiate remote support tunnels to Barracuda Technical Support,” Pao told El Reg in a statement.  “We have released a security definition to existing Barracuda Networks appliances that minimises potential attack vectors.

“Individual customers should contact Barracuda Networks Technical Support if they need more information. As we do with all issues reported through our ‘Bug Bounty’ programme, we have acknowledged the SEC Consulting’s reporting of the issues in both the release notes with our security definition and on the Tech Alerts section of our Web site.”

Stefan Viehböck of SEC Consult led the research into the vulnerabilities. Barracuda has published alerts covering both bugs on its website here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/24/barracuda_backdoor/

The Reporters without Borders website was compromised on Tuesday to run a watering-hole attack. Researchers speculated that the attackers were likely targeting the human rights activists who visit the NGO’s online address.

So-called watering hole attacks are named for the passive technique of injecting malicious code where its intended victims are likely to find it – akin to poisoning a watering hole to target a particular group of wildebeest who are known to refresh themselves there.

The website of the French-based international non-governmental organisation, which advocates freedom of the press and freedom of information, was booby-trapped with exploits targeting recently patched Internet Explorer and Java vulnerabilities. The miscreants behind the attack are trying to target visitors to the site who have not yet updated with either the emergency IE patch release released last week or the Java update released around the same time.

The attack was picked up net security firm Avast, which notified Reporters Without Borders’ (Reporters sans Frontières) website admins about the problem. The site was cleaned up by Tuesday afternoon.

Avast, which said the same attack appeared on the website of a “major” Hong Kong political party last week, said the latest phase of the assault was likely targeted against human rights activists who had visited the site. China has both the capability and motivation to pull off this sort of mischief and is by far the most likely culprit.

“Such an organization [RWB] is an ideal target for a watering hole campaign, as it seems right now the miscreants concentrate only on human rights/political sites – many Tibetan, some Uygur, and some political parties in Hong Kong and Taiwan which are the latest hits in this operation,” writes Jindřich Kubec, a security researcher at Avast. “In our opinion the finger could be safely pointed to China (again).”

The RWB attack, which bears some technical similarities to attacks carried out two years ago, is ultimately designed to deploy remote access Trojans (RATs), which give the intruder administrative control over the targeted computer. A blog post by Avast explaining the technical details of the Reporters without Borders’ attack can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/24/watering_hole_attack/