STE WILLIAMS

Hackers managed to get login credentials for Experian’s credit scoring reports after they broke into the systems of Abilene Telco Federal Credit Union last year, it has emerged.

Crooks gained access to the west Texan bank’s systems after hacking into an employee’s computer. The September 2011 breach allowed the hackers to get their hands on login credentials for the bank’s account with Experian, exposing the details of millions to potential snooping in the process.

A subsequent audit revealed that the attackers had used the compromised account to download credit reports on 847 people, obtaining Social Security numbers, dates of birth and financial data on individuals across the US who had never held an account with the small Texan bank.

The breach is one of 86 incidents that have exposed data stored by credit reference agencies (Experian, Equifax and TransUnion) to snooping since 2006. Hackers have obtained this information not by going after the credit reference agencies directly but by targeting banks, auto-loan firms, data brokers, police departments and other organisations that have access to the sensitive information, which can be used by identity thieves to establish lines of credit under false names.

In total, more than 17,000 credit reports have been exposed by breaches at third-party firms over the last six years, according to an investigation by news agency Bloomberg. The figures come from breach notification letters unearthed by a privacy advocate who calls themselves “Dissent Doe”, and wishes to preserve their anonymity.

Most of the exposed records (15,500 credit reports) came as a result of 80 breaches against Experian’s database. Equifax was hit four times, resulting in the exposure of more than 1,200 reports. TransUnion’s was pwned twice, exposing 500 reports to unauthorised snooping, according to the DataLossDB.org website. The incidents all involved the theft of passwords and usernames from the credit bureaus’ customers. Dissent Doe is campaigning for a national register of breach reports.

Experian blamed malware attacks against its customers for a majority of the breaches.

“We continue to invest in the security systems we have in place to protect our clients and consumers,” an Experian spokesman told Bloomberg. “Of course, the first line of defence lies with end users who are obligated to manage and protect their credentials, which in all these instances were compromised through malware that infected their hardware and other illegal means.”

Jay Foley, a partner with the consulting firm ID Theft Info Source, told Bloomberg that the volume of seriousness of the breaches raises concerns that credit bureau haven’t invested enough in anti-fraud technologies capable of drawing attention to suspicious behaviour by their clients.

The wide range of data held by credit reference bureaus has become the focus of a Congressional investigation over recent weeks. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/29/credit_report_data_breach_worries/

Hackers deface ‘sinful’ French Euromillions site

You have to be in it to pwn it

By John Leyden • Get more from this author

Posted in Security, 29th October 2012 13:27 GMT

Free whitepaper – AccelOps’ Unified Infrastructure Management Examined

Hackers sprayed digital graffiti on the French Euromillions website over the weekend as part of a protest against the “sin” of gambling.

A group identifying itself as the “Moroccanghosts” hacking crew posted messages decrying the lottery as the work of the devil in both French and Arabic after breaking into the euromillions.fr website.

AFP reports that the messages cited verses in the Koran that condemn games of chance and the demon drink.

Oh you believers. Wine, games of chance, statues all augur impurity and are the work of the devil.

Euromillions.fr now redirects to https://www.fdj.fr, the secure website of the firm that runs the Euromillions lottery in France – the FDJ Group. At this stage there’s nothing to suggest that hackers got into backend databases, much less accessed any sensitive data.

The techniques used to pull off the attack remain unclear. ®

Free whitepaper – A private Cloud-based approach

• Send corrections
  
• 24 commentsPost a comment

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/29/french_euromillions_defaced/

Podcast Google’s Android mobile operating system is now on a par with others when it comes to security, says Accuvant security researcher Joshua Drake, aka jduck.

But there are still problems in the operating system, not least a staggered update process that makes

Then there’s webkit, which permeates the operating system but is developed independently of Android. Webkit therefore presents a considerable challenge, as it’s hard for developers to avoid, but also hard to understand when planning the security for an app or online service for an Android device.

In this podcast recorded at the Ruxcon Breakpoint conference in Melbourne earlier this month, Drake and Patrick Gray delve into Android security and ask whether Google has dodged a bullet, given the OS was rushed to market in a less-than-marvellously-secure state.

Joshua Drake on Android’s evolving security stance

You can also download the podcast here.®

Patrick Gray’s Risky Business podcast brought Reg readers special coverage of the Ruxcon Breakpoint conference.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/28/android_security_risks_remain/

If it’s Monday, it must be time for a new SCADA vulnerability: this time, arising through the combination of a popular development environment and bad developer habits.

Described in full by Digital Bond researcher Reid Wightman here, as many as 261 manufacturers and heaven-knows-how-many deployed systems may have created insecure systems using the software.

The software in question is CoDeSys, from German company S3. This provides a control system development environment, which writes finished code to a runtime engine. Because the runtime needs access to /dev (if the target system is Linux) and an output bus, Wightman says the runtime is often given root or (in the case of Windows-based targets) administrator access.

And that becomes a problem when the environment provides network access to the command line – in the case of CoDeSys, via a TCP listener that’s part of the executable binary.

“The TCP listener service allows for file transfer as well as a command-line interface,” the post states. “Neither the command-line interface nor the file transfer functionality requires authentication.

“The result of all of this is that a user with the right know-how can connect to the command-line of CoDeSys and execute commands, as well as transfer files. Commands include the ability to stop and start the running ladder logic, wipe PLC memory, and list files and directories. Transferring files include the ability to send and receive. Sending and receiving files also suffers from directory traversal — we can read and write files outside of the CoDeSys directory on the controller using “../” notation. On most operating systems this includes the ability to overwrite critical configuration files such as /etc/passwd and /etc/shadow on Linux, or the Windows registry on Windows CE.”

Apparently, the sole protection against malicious access built into the system is in its licensing system: the CoDeSys target system is only supposed to talk to its own PLC-Browser software. This, as Wightman has demonstrated (complete with code), is easily bypassed – meaning that any system visible to the Internet is vulnerable to attack. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/28/codesys_vulnerability/

Stoke-on-Trent City Council has been fined £120,000 for failing to use proper cryptography, resulting in the details of a child-protection case being shared with the wrong people.

Last December a solicitor involved in a child-protection case sent 11 e-mails relating to the case to the wrong email address, a simple typo meaning that messages intended for the council were sent to a random member of the public. If they’d been encrypted, then that would have resulted in a confused recipient and no more – but they weren’t and that’s led to the £120,000 fine imposed by the Information Commissioner’s Office.

The investigation found that the council already had guidelines in place which require the use of cryptography, and that the solicitor was in breach of those guidelines, but given the Council’s own legal department had neither the skills nor the software to decrypt messages it was still fault.

The ICO was also upset as it had already raised the issue in 2010, when the same council lost a memory stick containing unencrypted data about another childcare case. Following that case, the council promised to try much harder in future, but it seems that the effort stalled once the guidelines had been written.

The case presents an interesting example of how important encrypted email is, even if there’s no deliberate attacker trying to intercept messages. Privacy advocates have long argued that routine encryption of all messages would be to the benefit of all, comparing our existing email systems to a postal service comprised entirely of postcards, but lack (or proliferation) of standards and the desire for simplicity has stymied any such development. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/26/ico_fine/

Updated Chinese telecoms kit maker Huawei narrowly avoided the wrath of US investigators last year after a business described by Reuters as a Huawei supplier* offered to sell American-made equipment to Iran in a deal that would have broken sanctions, it has emerged.

Tehran-based Soda Gostar Persian Vista was ready to sell 36 cell tower antennas to operator MTN Irancell before the error was spotted, according to a Reuters report. The existence of the intended transaction is recorded in a purchase order seen by Reuters.

The antennas, made by US firm Andrew LLC, were part of a much larger order for Huawei telecoms kit from MTN Irancell placed through Soda Gostar, says the newswire.

South African MTN, which owns 49 per cent stake in the Iranian operator, told Reuters it had requested 36 antennas from a German manufacturer that was not subject to sanctions, but the order had been mistaken.

“This was later identified as an error and as a result the tender request was cancelled with Huawei and the German goods obtained from a local reseller,” the firm added in a statement sent to the newswire.

US sanctions against Iran have been in place for several years but despite Huawei’s protests that it has not broken any laws in its continued trade with partners from the repressive state, it and its Shenzhen neighbour ZTE have come under increasing scrutiny.

In January, for example, US lawmakers called on the State Department to investigate claims it sold surveillance technology to Iran.

Then earlier this month, the damning House of Representatives Intelligence Committee report into Huawei and ZTE had this to say about the former:

Huawei failed to provide details of its operations in Iran, though it denied doing business with the government of Iran, and did not provide evidence to support its claims that it complies with all international sanctions or US export laws.

ZTE is already under investigation by the US on suspicion of breaking sanctions and then trying to cover up its actions when exposed by media reports.

Like Huawei, it announced it would not be seeking any new business in Iran, and has even sold off its ZTESec business, which flogged surveillance kit.

Cisco has already dropped ZTE as a partner as a result although cynics could argue this was more of a PR stunt for the US firm.®

*Update: Huawei has been in touch with El Reg since the publication of the article, and refutes Reuters’ version of events. The company told The Register:

Huawei was never involved in the transactions or business mentioned in the article. The speculated connection between a cancelled PO and Huawei’s involvement led to the author’s misleading conclusion. In addition, Huawei has not done any business with Soda Gostar.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/26/huawei_iran_partner_us_sanctions/

Chinese telecoms kit maker Huawei narrowly avoided the wrath of US investigators last year after one of its partners offered to sell American-made equipment to Iran in a deal that would have broken sanctions.

Tehran-based Huawei supplier Soda Gostar Persian Vista was ready to sell 36 cell tower antennas to operator MTN Irancell before the error was spotted. The existence of the intended transaction is recorded in a purchase order seen by Reuters.

The antennas, made by US firm Andrew LLC, were apparently part of a much larger order for Huawei telecoms kit from MTN Irancell placed through Soda Gostar.

South African MTN, which owns 49 per cent stake in the Iranian operator, told Reuters it had requested 36 antennas from a German manufacturer which was not subject to sanctions, but the order had been mistaken.

“This was later identified as an error and as a result the tender request was cancelled with Huawei and the German goods obtained from a local reseller,” the firm added in a statement sent to the newswire.

US sanctions against Iran have been in place for several years but despite Huawei’s protests that it has not broken any laws in its continued trade with partners from the repressive Arab state, it and its Shenzhen neighbour ZTE have come under increasing scrutiny.

In January, for example, US lawmakers called on the State Department to investigate claims it sold surveillance technology to Iran.

Then earlier this month, the damning House of Representatives Intelligence Committee report into Huawei and ZTE had this to say about the former:

Huawei failed to provide details of its operations in Iran, though it denied doing business with the government of Iran, and did not provide evidence to support its claims that it complies with all international sanctions or US export laws.

ZTE is already under investigation by the US on suspicion of breaking sanctions and then trying to cover up its actions when exposed by media reports.

Like Huawei, it announced it would not be seeking any new business in Iran, and has even sold off its ZTESec business, which flogged surveillance kit.

Cisco has already dropped ZTE as a partner as a result although cynics could argue this was more of a PR stunt for the US firm.

Huawei couldn’t immediately be reached for comment. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/26/huawei_iran_partner_us_sanctions/

The reputation of possibly America’s least-favorite fondlers, the Transportation Security Administration (TSA), has taken yet another hit with the discovery that its shoddy security allows passengers in its PreCheck system to pick their own security status.

PreCheck allows some frequent fliers willing to pay $100 for a background check to skip some of the onerous security checks, like taking off shoes and unpacking laptops or toiletries. PreCheck customers are still subject to more intensive searches on a randomized basis, however.

Aviation blogger John Butler discovered that the barcode information used for the boarding passes of Precheck fliers wasn’t encoded, and could be read by a simple smartphone app. It contained the flier’s name, flight details, and a number, either a one or a three, with the latter confirming the passenger was cleared for lesser screening.

It would be a relatively simple job to scan the issued boarding pass, decode it, and then change the security setting if you are planning to bring something naughty aboard, or even change the name on the ticket to match a fake ID. After putting the new information into a barcode, and a couple of minutes of cut and paste, the new boarding pass would work as normal, Butler explained.

“The really scary part is this will get past both the TSA document checker, because the scanners the TSA use are just barcode decoders, they don’t check against the real time information,” he said. “So the TSA document checker will not pick up on the alterations. This means, as long as they sub in 3 they can always use the Pre-Check line.”

But the agency that appears to devote so much time to ogling (and possibly irradiating) fliers, fondling vibrators, promoting the homosexual agenda, or just plain stealing fliers’ belongings doesn’t seem to have thought of that. The TSA only deems it necessary to have barcode readers for checking the data itself against the presented ID, not the accuracy of boarding pass itself. Simply encrypting the data would also work.

According to the TSA’s vision statement, the agency strives to “continuously set the standard for excellence in transportation security through its people, processes, and technology.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/26/tsa_barcode_boarding_pass/

Comment Wi-Fi-only iPads have never featured GPS, but the lack of satellite-navigation tech in the new Mini fondleslab’s non-cellular version has provoked a mild backlash: and rightly so, though not many people understand why.

The new gizmos do have a “digital compass”, a magnetometer which is aware of the direction the slab is being pointed but not it’s location. The device guesses where it is by sniffing for nearby WiFi base stations and checking their position against Apple’s database of unique device IDs.

It’s not at all accurate – the database has only a sketchy notion where the base stations are, and the slab has very little idea where it is in relation to them. If there aren’t any Wi-Fi boxes about, it won’t work at all. But because Wi-Fi signals are short-ranging, the uncertainties aren’t too large and it’ll do for working out the route from the Starbucks to the beret shop.

If like most people you only ever use “free” online mapping services such as Google Maps or Apple Maps, there’s not much point in a Wi-Fi-only iPad having GPS. It would know where it was thanks to the generosity of the US Defense Department* even if it didn’t have a Wi-Fi signal, but it couldn’t pinpoint itself on an online mapping service because it couldn’t get online.

It would of course be a simple matter – and require only a few gigs of storage – to put a nation’s worth of maps on the device, as proper satnavs and navigation apps do, but neither Google nor Apple like you being able to operate without a data connection constantly telling them where you are. Advertisers and other people are very interested in this kind of information and will pay big money for it: this is how you pay for “free” online maps.

Apple does reluctantly fit GPS in its devices which have cellular data connections, as cell-tower signals are long ranging and thus are likely not to offer any position information of any use – and people would notice if they could get an online map but not locate themselves on it.

Rival slablets such as the Nexus 7 and the Galaxy Tab 2 feature the nowadays trivially-cheap-to-install GPS chipset by default, even in Wi-Fi only models, meaning that you always have the option to get on-device maps and avoid being tracked everywhere you go (and incidentally to avoid using up bandwidth allowances unnecessarily; and to navigate effectively in places where there is no data signal of any kind or only a poor one).

Not very many people will care enough to do that – but Apple, characteristically, has made sure that it isn’t even an option where the company sees a chance to do so. This isn’t just mildly evil: it also shows that the firm has an insultingly poor opinion of its customers’ tech savvy. ®

Bootnotes

*Who pay for and run the GPS satellite constellation, mainly for their own purposes. Experience has shown that it may be necessary at this stage to point out that the GPS signal is one-way only from satellite to receiver: the Pentagon can’t track you using the satellites, though tracker bugs – which send their information to their masters using other means – often locate themselves using GPS.

On the matter of power consumption, GPS is something of a battery hog – but not an exceptional one in these days of large video displays, 4G data connections etc.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/25/ipad_mini_wifi_no_gps/

Incoming Symantec CEO Steve Bennett has reason to be pleased; he’s inherited a quarter with moderately positive results, not that he’s thanking ousted CEO Enrique Salem for them. Instead he’s told all geographical sales bosses to report to him after announcing the exit of the global sales head, William Robbins. He has also demanded “more growth” from his team.

Revenues for Symantec’s second financial 2013 quarter of $1.7bn were up 1 per cent on an annual basis and 2 per cent compared to the first 2013 quarter.

Bennett – who is also chairman and president – was: “pleased with the team’s results and progress made this quarter. We delivered solid results during the first quarter of a significant transition for the company”.

He said he wants “to deliver greater than 5 per cent organic growth and 30 per cent operating margins on a sustainable basis within the next two-to-three years.”

The chart above shows that Symantec’s latest results are of the same kind as other quarters, no better and no worse overall. However, the sequential rise against a background of economic malaise is impressive.

CFO James Beer said: “We saw strength in enterprise security and backup as well as growth in consumer security.”

Security and compliance product sales were up 6 per cent year-on-year at $512m. Storage and server management product sales were down 2 per cent at $595m. Services were up 2 per cent at $64m.

All world region sales were up 1 to 6 per cent, except EMEA, which went down 4 per cent. Salem was ousted in July because Symantec was not growing in a market facing rampant change from spreading virtualisation, cloud-provided IT, end-point file sharing and synchronisation, and flash storage.

Symantec expects third quarter revenues of $1.72bn to $1.75bn, an up to 2 per cent increase. This is very impressive given the economy’s effects on customer-based IT suppliers like Fusion-io and WD, which are seeing declines or no growth respectively.

This is before any Bennett-initiated strategic change can have much effect. About that he said: “Starting with a clean sheet of paper, the team is hard at work developing a strategy and operational plan that will help us deliver more value for our customers and partners so we win in the market and improve our financial performance.” Pretty vague, huh.

Hold on, there’s more: “This plan will be one that both the leadership team and the Board believe we can deliver against in the short and long term. In the meantime, we also continue to evaluate all of our strategic alternatives to create shareholder value and believe we are on track to share our new strategic direction and operational plan in late January of 2013.”

That’s it – a twofold idea: run the business better and start out in a new direction, as yet unknown. It seems to El Reg that Bennet doesn’t know where Symantec needs to go but he does know it needs to go somewhere and he’s the man to galvanise the company into doing just that.

Galvanising is what he’s doing operationally too. Get this:

We are moving to change quickly so we can continue to improve our performance on a global basis. With more than 50 per cent of our revenue coming from outside the US, we can no longer operate like a US-based company with global distribution. And as you can see from recent history our growth rates are higher outside the US.

Our head of worldwide sales will be leaving the company. To better position us to win globally, we’ve decided to elevate the GEO leadership roles and have them report directly to me.

That’s brutal – bye bye Bill Robbins. There is no immediate plan to replace him, making Bennett effectively the sales head too – four jobs in one now; there must be more hours in a Bennett day than in everyone else’s. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/25/symantec_q2_fy2013/