STE WILLIAMS

A Texas hotel is claiming to have suffered multiple burglaries stemming from flaws in a common type of electronic lock, exploits for which were demonstrated at this year’s Black Hat hacking conference.

In July, security researcher Cody Brocious showed how a device cobbled together from $50 worth of parts could be used to break into locks manufactured by Onity, which supplies some of the largest hotel chains in the world. The device plugs into the data port on the locks and opens them by defeating poor crypto in the locking system.

Now the Hyatt hotel in Houston’s Galleria complex has told Forbes that its guests suffered a string of break-ins in September, and that it had identified the hacking of its Onity locks as the method used. 27-year-old Matthew Allen Cook has been arrested for the break-ins and is helping the police with their inquiries.

“We will vigorously defend these charges, and all the facts will be available after the trial,” Cook’s lawyer said.

The hotel owners say they became aware of the issue with Onity locks in August and were working with the company on a fix when the thefts took place. At the time of the Black Hat presentation, Onity called the hack “unreliable, and complex to implement,” but it appears not too complex for others to imitate.

So far Onity has offered two workarounds – covering up the data port with screws that are difficult to remove, or replacing the entire circuit board of the lock, which the manufacturer wants hotels to pay for themselves.

The hotel said it had been taking steps to mitigate the flaw but the robberies occurred before this had been done. It was eventually reduced to posting a physical guard in reception to try and deter thefts, in addition to gumming up the data port of the locks with epoxy glue.

Insurance firm Petra Risk Solutions issued an alert to its customers on the Onity locks last month, but said that around a fifth of its customers have yet to deal with the issue. Todd Seiders, director of risk management at Petra, said the company was already aware of other cases of theft using the hack.

“We’re expecting incidents in which these devices are used to explode nationally,” he said. “As crooks find success with it, they’re going to go back to the Internet and say ‘hey, it works. I was able to break into ten rooms.’ And then others build it and try it. We’re going to get hit hard over the next year.”

Onity was not available for comment. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/27/hotel_onity_locks_hacked/

Two privacy campaign groups have urged Facebook to rethink plans to change its terms of service, designed to help the social network squeeze more money out of ads. Meanwhile data regulators have stated that the plans will have to change so as to comply with privacy rules.

The Electronic Privacy Information Center (EPIC) and the Center for Digital Democracy (CDD) penned a joint letter requesting Facebook reconsider its proposals that are supposed to be implemented tomorrow.

The US-based privacy outfits objected to three areas: the axing of users’ right to vote on Facebook policy changes; changes to the blocking of unwanted messages; and, most crucially, a shift to share users’ personal data across its growing online estate now that photo-sharing startup Instagram is part of the family.

Facebook, which floated on the Nasdaq in May, has told its users that it hoped to “improve the quality of ads” by making the tweaks to its service.

But EPIC and CDD aren’t happy with the plans.

“Because these proposed changes raise privacy risks for users, may be contrary to law, and violate your previous commitments to users about site governance, we urge you to withdraw the proposed changes,” the groups pleaded with Facebook.

EPIC, in a short statement, pointed out that while it’s true that Facebook is now on Wall Street with the big money boys, the company remains tied to a Federal Trade Commission (FTC) settlement that “prohibits the company from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users’ personal information”.

Indeed, as of November 2011, Facebook agreed to bi-annual privacy audits for two decades as part of its deal with the FTC. At the time the US watchdog said Facebook must be clear about changes to its website, including providing a “prominent notice” to users.

The social network was told it should obtain “express consent” before a user’s information is shared beyond any privacy settings already established by an individual connected to Facebook.

Arguably then, Facebook is failing to honour at least part of its agreement with the FTC: the website did inform all of its users of the plans in an email outlining the proposed tweaks. But it may have fallen down on the requirement to seek “express consent” for sharing data beyond the limits set in place by users. That said, the stateside regulator is yet to publicly express any disquiet about the company’s incoming privacy policy overhaul.

In contrast, here in Europe, the office of Ireland’s Data Protection Commissioner confirmed late last week that it was seeking “urgent clarification” from Facebook – whose European headquarters are in Dublin – about the changes.

Facebook declined to comment on this story beyond pointing to a brief statement made by its Washington-based spokesman Andrew Noyes to the LA Times on Monday. He told the newspaper:

As our company grows, we acquire businesses that become a legal part of our organisation. Those companies sometimes operate as affiliates. We wanted to clarify that we will share information with our affiliates and vice versa, both to help improve our services and theirs, and to take advantage of storage efficiencies.

A spokeswoman at the Irish Data Protection Commission told The Register this morning that the authority had since heard from Facebook about its proposed changes.

“We have sought and received clarifications on a number of aspects and have outlined our position in relation to what consent will be required for aspects of the policy,” the commission’s spokeswoman said.

“Facebook Ireland has understood this position and we expect the proposed data use policy to be modified to take account of these issues.”

El Reg asked Facebook if this meant the company would comply with the Irish Data Protection Commission’s request for modifications to the privacy policy or if it would simply forge ahead with the changes and continue to battle with the regulator on the topic of consent.

The company declined to comment and instead redirected us to Facebook’s statement from late last week in which it said:

“We are in regular contact with our regulators to ensure that we maintain high standards of transparency in respect of our policies and practices. We expect to maintain a continuous dialogue with the Irish DPC as our service evolves.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/27/privacy_groups_raise_alarm_over_facebook_ad_improvement_plans/

A cross-site scripting (XSS) flaw on Yahoo! Mail creates a means to steal cookies and hijack accounts, according to a hacker who is offering to sell an alleged zero-day vulnerability exploit for $700.

The cybercrook, who uses the online nickname TheHell, knocked up a video to market the exploit which he is attempting to sell through Darkode, an underground cybercrime bazaar. The clip was captured and reposted on YouTube by security blogger Brian Krebs.

The video explains that the attack works by tricking a victim into clicking on a maliciously crafted link. This link supposedly exploits a cross-site scripting bug to steal the victim’s Yahoo! mail cookies, which a cybercrook can later use to log into and hijack compromised Yahoo! webmail accounts.

TheHell claims the exploit works on all browsers and is a bargain at the not inconsiderable sum of $700.

I’m selling Yahoo stored xss that steal Yahoo emails cookies and works on ALL browsers. And you don’t need to bypass IE or Chrome xss filter as it do that itself because it’s stored xss. Prices around for such exploit is $1,100 – $1,500, while I offer it here for $700. Will sell only to trusted people cuz I don’t want it to be patched soon!

Yahoo! is investigating the alleged vulnerability, following a tip-off from Krebs. The video advertising the exploit fails to explain which vulnerable URL would trigger the attack, something that’s proving a little hard to pin down.

Yahoo!’s director of security, Ramses Martinez, told Krebs: “Fixing it is easy, most XSS are corrected by simple code change. … Once we figure out the offending URL we can have new code deployed in a few hours at most.”

Yahoo! has yet to respond to our request for an update on the situation. We’ll update this story as and when we hear more.

XSS flaws are a perennial web security problem that are a permanent fixture in the Open Web Application Security Project’s (OWASP) list of Top 10 Application Security Risks. Top tips for guarding against this class of vulnerability by OWASP can be found here.

Xssed.com, a site that collates reported XSS attacks, has several previous examples of XSS flaws on Yahoo! pages and hundreds of examples of flaws on other sites. Scripting bugs vary greatly in their potency, so judging impact by numbers alone is bound to be misleading.

More commentary on the Yahoo! webmail flaws and cross-site scripting more generally can be found in a blog post by Lisa Vaas for the Sophos Naked Security blog here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/27/yahoo_email_hijack/

Researchers have discovered yet more security vulnerabilities in crucial equipment used by power plants, airports, factories and other critical systems.

Exodus Intelligence said it has found more than 20 flaws in SCADA (supervisory control and data acquisition) software from vendors including Rockwell Automation, Schneider Electric, Indusoft, RealFlex and Eaton Corporation. The bugs expose machinery to the risk of either remote code execution or denial of service attacks.

Aaron Portnoy, veep of research at Exodus, said he found the security bugs in a matter of hours over Thanksgiving weekend. Writing on his company’s website, he likened SCADA software to a flightless bird – say, a dodo – in terms of its vulnerability to attack.

Last week, researchers at Maltese startup ReVuln recorded a video in which they boasted of discovering zero-day vulnerabilities in SCADA applications from vendors such as Siemens, GE and Schneider Electric. ReVuln intends to sell information on these vulnerabilities, potentially to government agencies, rather than report them to equipment manufacturers to fix.

Portnoy is critical of ReVuln’s approach to disclosure, and has promised to report his own findings to the affected vendors. There appears to be some overlap in the holes Exodus and ReVuln have discovered, but since the latter did not reveal any details, it’s difficult to be sure on this point. Portnoy told El Reg that his probing of SCADA code was not the fruit of commercial rivalry between Exodus and ReVuln.

“I don’t think we compete with ReVuln as the customers we deal with would not do business with a company that doesn’t disclose their findings,” Portnoy explained. “Also, our focus is quite different; we provide our customers with actionable information to help defend themselves or defend their clients against vulnerabilities in widely used enterprise software whereas ReVuln seems focussed on extorting SCADA vendors.

“Regarding overlap, I think it is quite likely that I found some of the bugs ReVuln has, mainly because the vendors they list only have a very limited number of SCADA products that you can find the software for. Also, there are some very small details that can be gleaned from the video ReVuln posted,” Portnoy added.

Luigi Auriemma of ReVuln hit back at the criticism that it was “extorting” vendors.

“We don’t sell vulnerability information to vendors, simple,” Auriemma said. “We have our vulnerability assessment solutions for software and hardware vendors like any other company on the market has.

“And regarding the vulnerability research we apply the same business model of the big players in the market so Portnoy is not attacking us, a little startup, but the whole market.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/27/scada_vulns/

Crooks attempted to defraud the UK government after swiping sensitive details on tens of thousands of civil servants, postmen, BT staff and public-sector workers, The Register has learnt.

The audacious raid of personal information on state and private-sector employees is the subject of a two-and-a-half-year criminal investigation. The leak put thousands of people at risk of identity theft.

The affected citizens – all of whom are past or present members of the Civil Service Sports Council (CSSC) – received letters warning them that their details were stolen two years and nine months ago by fraudsters who used the data to attack central government.

Sometime in or before February 2010 the database of 100,000 CSSC members was compromised, the council admitted in a letter dated 23 November. Names, addresses, National Insurance numbers, dates of birth, and in some cases debit card details and information about employers were lifted.

The non-profit sports body, which organises activities and leisure facilities, was alerted to the breach when a criminal investigation into fraud attempts on central government traced the data used in the scams to CSSC’s database.

Its membership is available to Royal Mail and BT staff as well as public-sector workers in the NHS, Fire Service, police, armed forces, education and other organisations.

The sports council believes no individuals suffered from identity theft as a result of the leak, although it warned members to report any attempts to defraud them:

When the theft was first identified, we had evidence relating only to a small part of our membership records. There was no evidence of any risk to individuals since the fraud concerned attempts to defraud central government rather than individuals.

Explaining why the council decided to warn all its members now, rather than two years ago, CSSC added:

We took the advice of the relevant authorities which was that no purpose was served by notifying members at that time. Investigations have now revealed that our full membership database could have been stolen and we have decided that members would want to know about the theft.

The sports council alerted the Information Commissioner’s Office on 18 February 2010, but the matter then passed over to police detectives, who have been investigating it since.

The personal information was held on a single database, which was subsequently breached. It is possible that financial details for those who paid the £40 yearly subscription fee have also been filched, as may have employment details, which were held separately.

Because of the ongoing criminal investigation into the leak, details of who inappropriately accessed the database, how they were able to do so, and how the attempted fraud against the government was committed have not been revealed. A Register source said National Insurance numbers are often used as a form of staff ID number in the Civil Service, which is why they were held on record.

El Reg asked the Metropolitan Police for a statement on the investigation and whether any arrests or charges have been made, and will update this story when it gets back in touch with us.

CSSC has apologised to its members and assured them that from March 2010 it significantly tightened its data security.

We have also contacted the council for further comment on the story, in particular why it withheld information about the breach from their members for so long, but the organisation would not comment beyond the information on its website, adding only that “fresh information which has recently come to light” prompted the mail-out to members. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/27/sports_council_data_theft_government_fraud/

BT has squashed a mild website privacy bug reported by a Reg reader – but the telco has refused to address a related issue that allows anyone to add paid-for features to any BT landline.

The latter problem, described by the telco as a “customer convenience”, can be exploited using just a property’s postcode and phone number to cause mischief and inconvenience. The privacy flaw, which revealed the name of the landline account holder, has been fixed.

The Reg reader who raised the alarm, himself a BT customer, wanted to upgrade his landline account using the “Phone Calling Plan” packages section of BT’s website. After clicking on “start your order” the website allowed him to add paid-for options, such as unlimited calls, to his phone account with just the telephone number and postcode of his home.

At the end of the process a button allows the punter to to create an account with bt.com to view online bills. Our man explained: “When I clicked on that it pre-filled the form with the full name of the primary account holder.”

Neither of these processes disclosed payment information.

But our reader argued that the process has insufficient security, and that the account number should be requested when adding extra paid-for services to an account. He was even more concerned about the display of an account holder’s name on the sign-up form for online bills, which he argued may be in breach of the UK’s Data Protection Act.

“You should not be able to order additional paid-for services with publicly available information,” said the customer, who wished to remain anonymous. “The phone number and postcode of a property are freely given out on letterheads, websites and all sorts.

“One could easily make a nuisance of oneself ordering extra services for someone and BT would be happy to comply with those requests, it seems. They should ask for the BT account number as well at the very least, since that is not something that people give out.”

In response, BT conceded that displaying the name of the account holder was a mistake and agreed to change its process. However the telco giant argued that knowing the phone number and postcode of a property was enough security when it came to adding paid-for options to an account:

Different levels of security apply to different products. Where judged as appropriate, for the purpose of customer convenience we do allow a limited number of services to be ordered online using the phone number and postcode.

It should not have been possible to view the name of the account holder by entering just the phone number and postcode. Thank you very much for bringing this to our attention, we have taken the appropriate action to close this issue.

®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/27/bt_phone_call_plan_privacy/

Activist group Anonymous, or persons using its insignia and name, claim to have taken down the website of the US schools that have made it compulsory for students to wear RFID tags.

Andrea Hernandez, a sophomore student at the John Jay High School’s Science and Engineering Academy in San Antonio, last week refused to wear the tags, arguing her rights to privacy and freedom of expression, along with her religious beliefs, meant she did not want to wear the tracking devices.

The Northside Independent School District in the Texan city of San Antonio, which operates John Jay’s High School, has since found its website at www.nsid.net won’t work.

A Twitter account named “@RemainSilentz” https://twitter.com/RemainSilentz, (Profile: “Governments breach ALL privacy laws, put a stop to it, and act fast. Owner of Remain.”) has issued a Tweet stating “DOWN AND OUT – Boom, track my ass like you track children you pervs” and later confirmed what he or she was really saying is that the School District’s site is down.

The site appears to have been restored to working order, but @RemainSilentz then claimed to have taken it down, then let it operate again.

At the time of writing, the site is inaccessible from Vulture South.

RemainSilentz is also claiming a role in the downing of Pakistani domain registrar pknic.net.pk, one of several recent attacks on websites in that country. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/27/annymous_takes_down_northside_independent_school_district_as_revenge_for_rfid_tracking/

Australia’s signals intelligence agency, the Defence Signals Directorate (DSD), has published two sets of guidelines for Australian government agencies contemplating a bring your own device (BYOD) regime.

The public advice, available here, is utterly anodyne and offers terrifyingly tough questions including:

• What are the legal implications?
• What are the financial implications?
• What are the security implications?
• Do I have a strong business case to justify the security trade-off?

It also makes the, to IT folks at least, non-startling observation that:

BYOD can be the ‘weak link’ into a network. Using mobile devices for both personal and business purposes can create more opportunities for social engineering and the inadvertent installation of malicious software. Malicious software can provide an entry route into the associated corporate network and access to information communicated or stored on the device. Organisations are likely to have less visibility and control over the security configuration of, and user behaviour on, BYOD. Employees will often lack the IT knowledge and motivation to reduce security risks to their devices.”

The agency has also published a Bring Your Own Device (BYOD) Considerations paper at the OnSecure portal. Membership of that site is only open to government employees and outsiders engaged on government IT projects.

It is to be hoped it offers rather greater detail than the public document’s exhortation to “be consultative” when developing BYOD security, as “The most effective scenarios are jointly developed by business and legal representatives, IT security staff, system administrators and employees themselves. This helps ensure your organisation develops policy and processes which all stakeholders are willing to adhere to.” ®

Bootnote

If you’ve an OnSecure login, we can assure complete discretion if you choose to share the BYOD Considerations document with us.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/26/dsd_byod_advice/

A new strain of malware is thrashing corporate databases in the Middle East, claiming the vast majority of its victims in Iran.

Narilam is “causing chaos” by targeting and modifying corporate databases, according to Symantec. The worm spreads through removable drives and network shares.

Network worms are relatively commonplace, but Narilam packs an unusual punch, functionality to update a Microsoft SQL database if it is accessible by OLEDB (Object Linking and Embedding, Database). The worm specifically targets SQL databases with three distinct names: alim, maliran, and shahd.

However Iran’s Computer emergency Response Tema said in a statement that the Narilam malware was two years old, “not a major threat” and only corrupted the databases of an unnamed Iranian accountancy software package:

The malware called “Narilam” by Symantec was an old malware, previously detected and reported online in 2010 by some other names. This malware has no sign of a major threat, nor a sophisticated piece of computer malware. The sample is not wide spread and is only able to corrupt the database of some of the products by an Iranian software company, those products are accounting software for small businesses. The simple nature of the malware looks more like a try to harm the software company reputation among their customers.

According to Symantec, some of the object/table names that can be accessed by the threat include Hesabjari (“current account” in Arabic/Persian), Asnad (“financial bond” in Arabic), R_DetailFactoreForosh (“forosh” means “sale” in Persian), pasandaz (“savings” in Persian), End_Hesab (“hesab” means “account” in Persian) and Vamghest (“instalment loans” in Persian) as well as tables such as “holiday”.

The threat replaces certain items in the database with random values. Some of the items that are modified by the threat include Asnad.SanadNo (“sanad” means “document” in Persian), Asnad.LastNo, Asnad.FirstNo, and Pasandaz.Code (“pasandaz” means “savings” in Persian), refcheck.amount and buyername.Buyername.

Narilam also deletes tables including ones with names including A_Sellers, person and Kalamast.

The malware lacks any functionality to steal information from infected systems and appears to be programmed specifically to damage the data held within the targeted database, Symantec concludes.

“Given the types of objects that the threat searches for, the targeted databases seem to be related to ordering, accounting, or customer management systems belonging to corporations,” it adds.

Without well-managed backups, affected databases will be very difficult to restore. The malware is likely to cause significant disruption even if backups are available, according to Symantec. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/26/database_thrashing_malware/

Pakistan’s web users were left high and dry over the weekend after nearly 300 high profile sites including Google.com.pk, Microsoft.pk, Apple.pk and Yahoo.pk were hacked and defaced by what appears to be a mixture of Pakistani and Turkish attackers.

Many local versions of big name sites including Apple, Microsoft and PayPal have been taken offline as a result and were still unavailable to local viewers at the time of writing.

Conflicting reports have emerged about the motivation behind theattacks, which downed over 280 sites on Saturday morning, according to the Express Tribune.

The Google.com.pk homepage and others were apparently replaced with a picture of two penguins walking over a bridge and the English message “Pakistan downed”, as well as a bizarre line in Turkish which translates as: “My homies in a friend always there for me/ Have not shot by me with every breath”.

The hacker responsible for that, who uses the name KriptekS, did not leave any other messages on the sites, making it difficult to speculate what the purpose, if any, was, although the same person has been responsible for tens of thousands of defacements in the past, according to Zone-h.

KriptekS also included the name ‘Eboz’ on the Google defacement – a name linked to the defacement of hundreds of sites in the past going all the way back to 2009.

Several additional domains were hacked by Pakistani Notorious hackers, according to blog The Hacker’s Media which says the group warned .pk registrar PKNIC of a serious security hole but was ignored. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/26/pakistan_web_defecement_hundreds_of_sites/