STE WILLIAMS

China watchers put two and two together and made five yesterday after pointing fingers at Chinese state-sponsored hackers whom they suspected of trying to break into their Twitter accounts.

Several high profile Tweeters from academia, media and elsewhere began suspecting foul play after having their passwords reset and receiving an email with the following message:

Twitter believes that your account may have been compromised by a website or service not associated with Twitter.

Noting that fellow “China watchers” had reported similar, several began to suspect the hand of the Chinese authorities.

Some of the accounts compromised included those of Hong Kong university’s China Media Project – an account monitoring censorship in the PRC – and WSJ reported Mei Fong.

“Wow, my Twitter account just got hacked. Party Congresses are such fun,” wrote another – Tsinghua University professor Patrick Chovanec.

Paranoia is high at the moment, especially for those tweeting from within the Great Firewall, because the Communist Party is currently holding its 18th National Congress – a glorified PR event at the end of which this year the Party will unveil its new leadership team for the next decade.

Such politically sensitive events are stage managed down to the last detail and usually come with an internet health warning as online censors step up their propaganda drive.

In the run up to this year’s Congress there have been outages of major foreign web sites, service interruptions and even an increase in blockages reported by VPN companies, the Wall Street Journal said.

Virtual Private Networks are the main route by which information-hungry China dwellers can bypass the Great Firewall and reach usually restricted content.

Although it is not known who the culprit of yesterday’s mass hack attempt was, it later emerged that the attack did not solely affect China watchers.

A Twitter balls-up actually turned it into a more widespread problem than it needed to be in the end after also resetting some accounts that hadn’t been compromised. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/09/twitter_account_hack_congress/

Twitter: WHOOPS we’ve broken ourselves. Sorr-ee!

• 
• 
• 
• 

Twit accidentally pressed wrong button

By Anna Leach • Get more from this author

Posted in Media, 8th November 2012 18:06 GMT

Free whitepaper – A private Cloud-based approach

Twitter has apologised for “unintentionally” resetting the passwords for a large number of its user accounts.

In normal circumstances the social network resets the login details for any account feared to have been hijacked. But it appears someone in Twitter today overreacted and pushed the reset button on a lot of accounts, including ones that had not been compromised.

Twitter said it reset the passwords on “a larger number” of accounts than necessary. This was the explanation on the Twitter status page:

In instances when we believe an account may have been compromised, we reset the password and send an email letting the account owner know this has happened along with information about creating a new password. This is a routine part of our processes to protect our users.

In this case, we unintentionally reset passwords of a larger number of accounts, beyond those that we believed to have been compromised. We apologise for any inconvenience or confusion this may have caused.

Twitter wouldn’t elaborate on how many that “larger number” was. In the email sent out with the password resets, the cause of alarm was pinned down to a security breach in a third-party website that accesses Twitter feeds.

The email users received read:

Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We’ve reset your password to prevent others from accessing your account.

You’ll need to create a new password for your Twitter account.

®

Free whitepaper – AccelOps’ Unified Infrastructure Management Examined

• Send corrections
  
• 7 commentsPost a comment

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/08/twitter_we_broke_your_account/

Miscreants have reportedly discovered a zero-day vulnerability in latest version of Adobe Reader.

Exploits based on the vulnerability, which circumvents sandbox protection technology incorporated into Adobe X and Adobe XI, are on sale in underground forums. Pricing starts at a hefty $30,000 but the exploit has already made its way into custom versions of the Blackhole Exploit Kit, a popular tool for the distribution of banking trojans such as ZeuS using drive-by download attacks.

The illicit trade was discovered by Moscow-based forensics firm Group-IB, which has produced a video illustrating the basic concepts (but not details) of the attack, which early analysis suggests only works against Windows installations of Adobe Reader.

Group-IB explained that the Adobe X vulnerability relies on malformed PDF documents with specially crafted forms.

Andrey Komarov, head of the international projects department of Group-IB, explained:

“The vulnerability has some limitations, for example it could be successfully exploited only after the user will close the browser and restart it. Another variant is to organize interaction between the victim and the malformed PDF document. Either way, the vulnerability is a very significant vector to be spread with bypassing of internal Adobe X sandbox, which is appealing for cybercrime gangs because in the past there was no documented method of how to bypass it with shellcode execution.”

Adobe is in the process of investigating the vulnerability, which potentially makes its PDF viewing software less safe than alternatives such as Foxit and Sumatra PDF. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/08/adobe_reader_zero_day/

BlackBerry 10 has passed the US Federal Information Processing Standard (FIPS) certification, meaning devices based on the platform can be used to send classified data between government agents. Despite a drop in US government uptake of its kit, this is still something unique to RIM.

Apple and Android have both made huge strides in security, but only RIM has ever managed to get a mobile platform through the FIPS 140-2 process, which is managed by National Institute of Standards and Technology and recognised by the US and Canadian governments. The classification permits the transit of documents up to “restricted” level, so RIM’s devices will be turning up in some halls of power, if not all of them.

The news isn’t hugely surprising. Security has always been core to the BlackBerry platform, rather than something to be added on later, and that’s reflected at every level. BlackBerry 7, for example, deliberately overwrites deleted data on memory cards, rather than just flagging it as deleted (and thus permitting recovery) as other platforms so, but that’s just one example of the pervasive nature of RIM’s secure approach.

But the certification achieves two other important things too: it reminds everyone that BlackBerry is still the most secure mobile platform, and it keeps everyone talking about the new version for another week or two, the latter being particularly important as there’s still a few months until the launch and RIM needs to stay in the public eye until then.

Not that all publicity is good: on Wednesday an analysts from Pacific Crest Securities said the new OS might be “dead on arrival”, prompting an 8 per cent drop in RIM shares, and some damage limitation from the company.

“Two other analysts came out this week with some very, very positive reactions to the platform and some positive reactions to our prospects,” RIM told The Canadian Press, sounding a little like a petulant child arguing with an accusing parent.

Here in the UK we’ve certified previous versions of BlackBerry, but not looked at BlackBerry 10 as yet, but with the US giving it the nod don’t be surprised to see up an update along those lines … just as soon as it looks like RIM might be at risk of being forgotten again. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/08/blackberry_10_fips/

Scotland Yard arrests female computer hacking suspect

• 
• 
• 
• 

Plods continue Op Tuleta against Fleet Street trickery

By Kelly Fiveash, Networks Correspondent • Get more from this author

Posted in Security, 8th November 2012 14:44 GMT

Free whitepaper – Operationalizing Information Security

Scotland Yard officers arrested a 45-year-old woman this morning over alleged breaches of privacy.

The unnamed suspect is being quizzed by Operation Tuleta officers at a South London cop shop while her home is searched.

She was cuffed on suspicion of conspiring to commit offences under Sections 1 and 3 of the Computer Misuse Act 1990, and Sections 1 and 2 Regulation of Investigatory Powers Act 2000, police said.

Officers added: “This arrest is not directly linked to any news organisation nor the activities of journalists.”

Op Tuleta is a probe into alleged computer hacking and is related to the Met’s voicemail interception investigation (Op Weeting) and claims of bribes to police and officials (Op Elveden). ®

Free whitepaper – A private Cloud-based approach

• Send corrections
  
• 10 commentsPost a comment

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/08/operation_tuleta_arrest/

US army private Bradley Manning has asked the court to accept a partially guilty plea that takes responsibility for leaking government documents to WikiLeaks.

Manning’s lawyer David Coombs said on his blog that Manning was willing to plead “by exceptions and substitutions”, where he doesn’t admit he’s guilty of the specific charges from the government, but he accepts responsibility for certain offences within the charges.

Coombs said that Manning wasn’t doing this as part of any kind of plea bargain or deal with the government, but off his own back.

The government doesn’t have to accept the plea even if the court decides it’s legally permissible. Opposition lawyers can still try to prove the full depth of the charges and look for the full force of the law. If Manning is found guilty of the charges as they stand, he could face the death penalty.

Making a plea now could get Manning off on the more serious charges by accepting lesser offences, if the government is willing to let it go at that. The more serious charges include “aiding the enemy” by leaking the documents to the whistle blowing site.

Manning is facing a court martial over the document leak and has asked to be tried by a military judge alone, rather than a jury, at his trial in February. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/08/manning_accepts_partial_responsibility/

Analysis The Tories were big fans – in opposition – of labelling the then-Labour government a “database state” as it lumbered from one ID card disaster to another. But now that the Conservative Party is heading towards the mid-term point of its coalition with the Lib Dems, the notion of hoarding ever-more information about British citizens is alive and well – in the form of the under-reported opening up of the National Pupil Database.

Education Secretary Michael Gove told Parliament on Tuesday that his department had opened up a public consultation on plans, in his words, “to share extracts of data held in the National Pupil Database for a wider range of purposes than currently possible in order to maximise the value of this rich dataset.”

Chillingly, one such usage cited would involve creating a private sector market that would be able to offer “innovative tools and services which present anonymised versions of the data”.

What this means in practice is that sensitive information held about children across Blighty could soon be in the hands of marketeers who are looking to extend their data-scraping exercises beyond the likes of Facebook, Google and other well-known free-content ad networks. It would now seem that even a child’s school life including exam results, attendance, teacher assessments and even characteristics could soon be scrutinised in the same way – that is if Gove’s proposals get the go-ahead.

He told MPs:

We have already significantly expanded the content of school performance tables for primary and secondary schools and were commended in the National Audit Office report ‘Implementing Transparency’ (April 2012) for opening up access to our data. Recently, we have also improved the application arrangements for requesting access to data from the National Pupil Database under our existing regulations for those who need pupil level data for research purposes.

However, we are aware that the existing Prescribed Persons Regulations may prevent some potentially beneficial uses of the data by third-party organisations, as use is currently restricted to ‘research into educational achievement’. For example, we have had to reject requests to use the data for analysis on sexual exploitation, the impact on the environment of school transport, and demographic modelling, all of which seem to be legitimate and fruitful areas for further research.

A revision to the regulation could come as early as spring next year, Gove told the House. He stressed that confidentiality and security would not be ignored if such a legislative overhaul does take place. But he did go on to say that “existing arrangements” relating to access to pupil data would be extended to meet many more requests.

The Cabinet minister did not name the types of organisations that would be eligible to get their hands on the information, but he did make obvious points about their need to comply with the Data Protection Act and to demonstrate that appropriate security was in place.

One might have expected that such data would first be cleared of any pupil ID prior to be passed on to the private sector for its marketing purposes. Not so, according to Gove’s statement to Parliament yesterday. Here’s the interesting bit: it would appear that these unnamed third parties would be the ones anonymising the data on behalf of the DfE and not the other way round, as Gove stated:

“Any reports, statistical tables, or other products published or released, would need to fully protect the identity of individuals.”

Alarm bells ought to be ringing among civil liberties’ campaigners by now. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/08/national_pupil_database_regulation_overhaul_in_private_sector_data_grab/

A smartphone app touted as a safe way to exchange naked pictures and saucy texts poses a huge privacy risk.

Snapchat is available for both iPhone and Android devices, and is marketed towards teenagers and young adults. The app lets senders control how long a message or picture can be viewed, before it expires after a maximum of 10 seconds.

The idea is that is a picture is only visible for 10 seconds than it limits the opportunity for others to forward it around the school campus, or (worse) upload it to Facebook or an image sharing site.

The problem is that this doesn’t stop anyone receiving a message taking a screenshot of their device and creating their own copy of the image, providing they are nimble fingered enough. The Snapchat app offers a warning if someone takes a screenshot, but not a way to stop this happening. Even this limited safeguard can be circumvented, warns net security firm Sophos.

“There are ‘how-to’ guidelines online explaining how jailbroken iPhones can subvert Snapchat, and take snapshots without informing the image’s sender,” explains Graham Cluley, senior technology consultant at Sophos.

“A less high-tech method to grab the image is to simply take a photograph of the phone that has just received the nude photo. And then there’s no way the Snapchat app can tell you if that’s happened,” he added.

Snapchat’s privacy policy admits that it can’t offer guarantees that any naked photos you send through the app will be only available for ten seconds.

“Although we attempt to delete image data as soon as possible after the message is transmitted, we cannot guarantee that the message contents will be deleted in every case. For example, users may take a picture of the message contents with another imaging device or capture a screenshot of the message contents on the device screen. Consequently, we are not able to guarantee that your messaging data will be deleted in all instances. Messages, therefore, are sent at the risk of the user.”

Snapchat, which received a 12+ rating from Apple for “Infrequent/Mild Sexual Content or Nudity”, is ahead of Instagram and only behind YouTube in the list of top free photography apps in Apple’s online store. The firm claims its iOS version alone has been used to shared over 1 billion photos (“snaps”).

US child safety online Mary Kay Hoal has also expressed concerns that youngsters might be fooled into thinking that Snapchat is a safe way to share nude and inappropriate photographs of themselves.

Despite these well intentioned warnings it’s unlikely that young people will stop sharing intimate photos of themselves over the internet anytime soon. Parasite porn sites are stealing and spreading such images and videos, according to recent research by the Internet Watch Foundation. In one very sad case, Amanda Todd was bullied so badly about images of her that were shared online that she eventually took her own life.

“Sharing a naked photo of yourself with someone via the internet is putting yourself at dangerous risk of embarrassment, humiliation or serious bullying,” Cluley concludes.

“Young people who adopt Snapchat shouldn’t fall into a false sense of security that it’s somehow a safe way to share naked pictures with their friends,” he added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/08/snapchat/

Skype is investigating claims it handed over personal information on a teenager implicated in an attack on PayPal without asking to see a warrant.

PayPal contracted Dutch security firm iSIGHT Partners to get to the bottom of assaults launched last year against the web payment firm. The distributed denial-of-service attacks were organised by members of Anonymous who were upset at the suspension of the WikiLeaks PayPal account that left supporters of the whistle-blowing site unable to send in cash donations.

iSIGHT reportedly tracked down the individuals allegedly involved in the Operation Payback assaults, linking one suspect to a Skype username.

According to reports this week, Skype coughed up the real name, email address and home address of a 16-year-old lad to iSight after the security biz’s investigator Joep Gommers supplied the username.

This personal information, pulled from Skype payment records, was passed onto Dutch cops, it is claimed. iSIGHT counted Skype as one of its clients at the time of the supposed information exchange.

Skype’s alleged role in the affair potentially violates European privacy law as well as it own policies.

In a statement, the Microsoft-owned internet chat firm said it was looking into the matter and confirmed that – unless in exceptional circumstances – it wouldn’t hand over a user’s details without a warrant or court order:

We take customer privacy very seriously and are reviewing these claims. It is our policy not to provide customer data unless we are served with a valid request from legal authorities, or when legally required to do so, or in the event of a threat to physical safety.

The suspect in the case has not been named, and it’s unclear if any criminal prosecution was initiated, much less its outcome. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/08/skype_dutch_anon_cybercrime_controversy/

Exclusive A security flaw accessible via Google’s UK motor insurance aggregator Google Compare has potentially exposed vast numbers of drivers to identity theft.

The vulnerability, the existence of which has been verified by The Register, made it possible for comprehensive personal details – including names, addresses, phone numbers and job – to be harvested at will.

Information about the flaw was passed to The Register last week by a source who wishes to remain anonymous, but who is familiar with motor insurance aggregation systems. The data could be accessed via a simple edit of a motor insurance proposal form. The Register created a fictitious motorist for this purpose, and completed an online proposal form using Google Compare.

Google Compare sends this form to numerous underwriters – there can be at least 100 of these – and then Google offers you details of the companies that wish to offer a quote, together with their prices.

Some of these companies’ quotes, however, can be illicitly accessed. After we had made a simple edit to a vulnerable document, we were no longer viewing our own proposal form, but those of unrelated individuals.

When the edited document was passed to the vulnerable system, an entirely different proposal – often from an entirely unrelated underwriter – was displayed. Essentially, once a criminal has a form fielded by the vulnerable system, he could repeatedly edit the form in order to obtain complete details of a new person every time. The process would not be difficult to automate.

Nor does it appear that all of these people applied for insurance via Google Compare, because some of the forms we viewed were apparently quotes from other insurance comparison sites.

The problem was potentially vast. The Register understands that the flaw lies in third-party software external to Google Compare, operated by insurance and financial specialist SSP. But although Google’s own in-house systems were not directly compromised, the SSP system effectively allows criminals to operate Google Compare as a massive identity theft portal.

Our source claimed the SSP system is used by about 20 per cent of motor insurance brokers working with Google Compare, but that “quotes from near enough all car insurance comparison sites in the UK go through this system, so you will find all Google Compare’s customers in there, and other comparison sites’ customers also”.

“Your quote from Go Compare…” You were sitting down, weren’t you?

The quote above, accessed using the Google Compare flaw, appears to have been offered via Go Compare, not the spookily similarly named Google Compare.

The SSP system appears to act as a host for quote forms from a range of brokers and aggregators. Aside from this system’s ability to leak unrelated forms, Google’s own security could be viewed as overly lax.

“Some other aggregators do a server-side redirect,” says our source. “Other aggregators do not send the real contact details. It’s Google that chooses to send to this system.”

 

Your personal details, leaked by the vulnerable web system, and another quote inappropriately accessed

After verifying the existence of the flaw, The Register notified the Information Commissioner’s Office (ICO) and Google, informing the latter of our intention to publish this story.

Within hours of being notified, a Google spokesman told us it had suspended insurers using SSP software from its comparison site – meaning the flaw can no longer be exploited via Google Compare.

Google also sent us a statement:

As soon as we became aware of this problem, which occurs on certain broker websites that use SSP software, we suspended those brokers. We have raised this issue with SSP and have asked them to address it immediately.

The ICO responded that it will begin enquiries before deciding what action, if any, was required.

We asked Google if it will report itself to the ICO. The company responded that it was SSP and the insurance brokers who had suffered a data breach, not Google. The search giant argued that the same problem exists with all aggregator sites, and said “we didn’t hold contracts with SSP – SSP holds contracts with those brokers” and “we’re not responsible for content”.

Which is a similar argument to the one Google uses regarding other media it links to. Essentially, the company believes it has no legal responsibility for what happens to the user after they’ve clicked on a link. And yet Google Compare undoubtedly collected personal data at the form-filling stage and passed it on to a third party whose software appears to be insecure. According to Google, that’s not its fault.

The Register contacted SSP, and will update our readers when we have received a response.

Although Google insists this isn’t its problem, and the same bug exists in other motor insurance aggregators, The Register has been unable to verify this. A check of Go Compare, for example, confirmed that the site does link to brokers using SSP software, but it does not seem to be possible to manipulate the quote proposal document in the same way that was, until yesterday, possible with Google Compare.

The Register’s source said it is likely some aggregators are indeed vulnerable to the flaw, but that others were already aware of it and had taken steps to stop it being exploited via their websites.

It seems there are two important aspects to the security bug: First, the way SSP’s software handles document storage and retrieval, and second, the security of the identification process. The flaw in the latter lay somewhere on the road from Google to SSP to broker – but that’s one for the ICO to figure out. ®

Bootnote

Many years ago, your writer worked for Insurance Age, The Review, Worldwide Reinsurance and Marine Insurance Bulletin. In those days they didn’t have computers … as such. El Reg has intentionally withheld precise details of the flaw at this stage in the interests of responsible disclosure.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/08/google_compare_identity_theft/