STE WILLIAMS

The Chairman of Huawei’s Australian operations, John Lord, has proposed the nation create a national “cyber security evaluation centre” at which “all equipment implemented into major or critical Australian networks can be subjected to the same thorough security assessment.”

Lord said such a centre would mirror the UK’s Cyber Security Evaluation Centre.

Lord floated the idea during a speech to Australia’s National Press Club, a forum often used by politicians and other significant figures to announce big ideas or flesh out their thinking.

Lord’s speech called for debate on security in Australia to stay “sober” as “If we are to find real solutions to real cyber-security problems, we cannot allow the discussion to be muddied by issues like the ongoing trade conflict between the US and China.”

That conflict, Lord said, means the recent US House of Representatives committee report that damned Huawei “… must be called for what it really is: protectionism, not security.”

Lord went on to say the committee’s report is a geopolitical stunt, with the transcript of his speech offering the following:

“The fiery rhetoric of the U.S. Committee’s report may make good headline-fodder in an election year, but it should really be seen as a missed opportunity. It missed the opportunity to address the real issues at stake, to increase awareness of the common threats we face, and to develop methods of countering these threats in a realistic way. When all telecoms equipment is produced by an interdependent global supply chain, simply blacklisting a single vendor or country will not make critical infrastructure more secure.”

Huawei’s proposal, in Australia at least, is a testing centre at which it will happily “offer complete and unrestricted access to our software source code and equipment” and at which Lord hopes “in the interests of national security we believe all other vendors should be subject to the same high standard of transparency.”

Lord added that he imagines the centre “could be funded by vendors themselves and operated or overseen by security-cleared Australian nationals with complete transparency of all equipment.”

Huawei will, also Lord added, “support and adopt any internationally agreed standard or best practice for cyber security in its broadest sense; we will support any research effort to improve cyber defences; we will continue to improve and adopt an open and transparent approach enabling governments to review Huawei’s security capabilities, and finally, as we have done to date, we warmly welcome the assistance from our customers in enhancing our processes, our technology, and our approach to cyber security …”. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/24/huawei_accuses_usa_of_protectionism/

The Federal Trade Commission has issued a staff report on best practices for companies using facial recognition technology in their businesses.

“Fortunately, the commercial use of facial recognition technologies is still young,” the report states. “This creates a unique opportunity to ensure that as this industry grows, it does so in a way that respects the privacy interests of consumers while preserving the beneficial uses the technology has to offer.”

The report recommends that developers should approach such systems with “privacy in mind” – which sounds nice, but most of them are still concentrating on getting the technology to work as advertised in the first place, at least in El Reg‘s experience.

Companies need to set up appropriate security systems to safeguard facial identifying information, such as the distance between the eyes or length of the face, the report suggests. Once a customer stops using a facial service, that data needs to be wiped to safeguard privacy going forward.

Care should also be taken in considering where such systems are used. The FTC gives the example of digital signage that uses software to determine the age and sex of the viewer, and suggests leaving them out of places like locker rooms or toilets to avoid worrying people. Such signs should also be clearly marked, presumably so that they can be avoided.

Social networks come in for more-specific recommendations. Any kind of facial recognition system needs to be clearly signposted, and users need an easy way to opt out of any systems should they so desire. If they do choose to use such systems, they should have the right to not only opt out at a later date, but also to have all prior biometric data deleted.

The FTC also warns of a couple of issues that companies really need to deal with. First, express permission should be sought if the facial images are going to be used for anything other than the specific purpose they are gathered for, and nothing “materially different.”

Second, applications shouldn’t be developed that allow the identification of people without their express consent. The report suggests this could head off stalker apps that would allow someone to be surreptitiously photographed, identified, and then chatted up using information available online.

The report is at pains to point out that the report shouldn’t be seen as a guide to forthcoming legislation, but instead merely to provide guidance for companies getting involved in the nascent field. It appears we’ll have to wait until someone actually sues before there are any statutory controls.

“To the extent the recommended best practices go beyond existing legal requirements, they are not intended to serve as a template for law enforcement actions or regulations under laws currently enforced by the FTC,” it reads.

“If companies consider the issues of privacy by design, meaningful choice, and transparency at this early stage, it will help ensure that this industry develops in a way that encourages companies to offer innovative new benefits to consumers and respect their privacy interests.”

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/23/ftc_facial_recognition/

Web analytics firm Compete has settled with the Federal Trade Commission over charges that it was slurping users’ personal data without permission and wasn’t adequately protecting that information.

The company tracks the browsing habits of people who download its software and then sells that data to clients so they can improve their website traffic and sales.

But according to the FTC, that software regularly captured additional personal details about the users’ online activity, including sensitive information including credit card and social security numbers.

Compete, owned by Kantar Media, which is owned by marketing comms behemoth WPP, now has to give its users directions about how to install its software as part of the settlement. The tracking firm also has to obtain explicit consent before collecting data and has to delete or anonymise all the information it has already gathered.

The company more or less tricked folks into downloading the tracking software, the FTC alleged. Some users joined a “consumer input panel”, promoted using ads that put them on the Compete website, because they were told they could win rewards by sharing their opinions about products and services, the FTC charged.

The toolbar was another good way to get the software embedded, promising users instant access to data about the websites they visited. Aside from direct downloads, Compete also licensed the software to other companies.

The firm made numerous assurances to people that their data would be safe, that it was only interested in the webpages visited and that personal identifiable information would be stripped out, but the FTC alleged that these promises were “false and deceptive”. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/23/web_tracker_settles_with_ftc/

A security researcher has developed a proof-of-concept browser botnet extension to illustrate the perils of what he describes as a “looming menace”.

Zoltan Balazs of Deloitte Hungary developed the code to illustrate the risk from malicious browser add-ons, which he argues anti-virus vendors are ill-equipped to defend against.

The proof-of-concept Chrome, Safari and Firefox extension offers a command-and-control control panel, rootkit capabilities, the ability to steal cookies and passwords, execute JavaScript, upload and download files, and more.

Balazs is due to demonstrate how the technology works on both PCs and Android phones at the Hacker Halted conference in Miami, Florida later this week.

Balazs is also expected to demonstrate how the proof-of-concept code might be used to bypass Google’s two-step verification process.

Malicious extensions can potentially pose as browser add-ons necessary to view Flash files, or use similar tricks. Conventional Trojans are often distributed using this technique (and offer the same range of potential capabilities) but hooking malware onto browsers offers a number of advantages from the perspective of a cyber-crook, as Balazs explains.

There are a lot of advantages of malicious browser extensions against traditional native malware. The command and control channel can be easily set up between the browser and the client, because the firewalls usually allow HTTPS communication between the internet and the web proxy, and the browser uses the transparent built-in authentication to the proxy.

Desktop firewalls and application white-listing won’t block the traffic, because these only detect that the browser is communicating with the internet, what is usually allowed. Even if executables are blocked via web filtering, the user is able to add new extensions to the browser. The extension is cross-platform, I tested my Firefox extension on Windows 7, OSX Snow Leopard, Ubuntu 12.04, Android Gingerbread (2.3.7).

Because of the man-in-the-browser attack the passwords are readable before SSL encryption and even before any JavaScript obfuscation is done.

Virus writers have yet to develop powerful malicious extensions. The best example seen so far is the malicious Chrome add-on that posed as the Bad Piggies game but actually spammed users with dodgy ads. More than 80,000 users of the Google Chrome browser fell victim to the counterfeit Bad Piggies game, according to a post-attack analysis by security researchers from Barracuda Labs. Malicious browser extensions have also been used in isolated cases as a means to spread scams on Facebook.

It’s “very possible for virus writers” to develop malicious browser extensions that pack a far more powerful punch, Balazs told El Reg. Worse still “defensive techniques are in the Stone Age,” he warned.

Malicious browser extensions are easily capable of bypassing anti-virus and other defences before stealing personal and business data or monitoring online activities.

Some mitigation procedures are already in place while others need further development, according to Balazs. Browser developers should adopt an App Store-style model and deny the installation of browser add-ons obtained from outside this ecosystem by default, he says. Balazs wants to see the creation of a blacklist of rogue extensions, as an additional security defence.

Anti-virus firms need to develop a deeper insight into browser extensions. Safety-conscious surfers should avoid applying any extensions to the browser they use for their online banking transactions, as a precaution, he added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/23/browser_botnet/

Australian students may be spared potentially invasive digital data access from Google following the Privacy Commission’s decision to back the EU’s reforms regarding Google’s new privacy policy.

European data protection agencies have given Google a four month deadline to fix its new privacy policy which the agencies claim do not comply with EU laws.

Last week the Australian Information Commissioner Timothy Pilgrim as part of regional data protection agency group The Asia Pacific Privacy Authorities Forum (APPA) announced its support for the recommendations made by the Commission Nationale de I’Informatique et des Libertès (CNIL) Working Party’s investigation into Google’s privacy policy issues.

One of the data protection agencies key concerns under Google’s new privacy policy is the data capturing abilities used in apps for government use.

In Australia, Google Apps for Education is widely used by the education sector with the New South Wales Government’s Department of Education and Training currently one of its biggest users across its 1.2 million student base.

Currently Google’s usage policy provides the ability to turn on and serve behavioural advertising to those 1.2 million students based upon their emails, attachments, uploaded videos and digital activity.

Digital law specialist Bradley Shear, who has been working on similar privacy protection issues in the U.S, told The Register that under the current Google Apps for education agreement, Google can store student data anywhere in the world leaving countries and students that are not protected by the CNIL’s recommendations exposed.

Shear warned that from a public policy perspective, the issue raised “is whether it is acceptable for a government to monetize a student’s personal thoughts and interactions between their teachers and fellow students.”

Shear questions if it would it be acceptable if Australian teachers captured their students’ preferences and then returned projects with coupons for items based on their work or if a teacher or a school was paid to provide discount offers to children based upon how they responded to classroom projects?.

“Australian education authorities must re-evaluate how they protect student privacy, and they must be more cognizant when making public policy decisions that may put personal privacy and safety at risk,” he warned.

If Australia, under APPA’s direction, implements CNIL’s recommendations, Australian schools will not be able to advertise to their students based on their school work.

Google Australia has yet to respond to it stance on students’ privacy or whether it will modify data domiciling arrangements under the EU’s edict. The company has, however, shown sensitivity to the issue of data domiciling in the past, with data from the New South Wales Education Department’s GMail implementation hosted onshore by Telstra. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/22/google_privacy_hits_edu_sector/

A survey of over 3,000 Brits has discovered that more than half (56 per cent) have been targeted by online criminals with a successful attack costing, on average, £247 per person.

The study, released on Monday to coincide with the start of the annual Get Safe Online awareness week, discovered that almost one in five (17 per cent) victims were too embarrassed to tell anyone or share their experience with others. Almost a third of those surveyed by OnePoll (29 per cent) admitted they didn’t know whether or not they were putting themselves at risk when they used the net.

GetSafeOnline.org is trying to encourage greater openness and discussion about online security problems via a “Click Tell” online campaign and roadshow which will visit various UK cities this week (22-26 October). This year marks the seventh edition of GetSafeOnline, a campaign backed by the UK government and numerous internet security firms.

The GetSafeOnline.org survey showed that almost one in five (19 per cent) have lost money as a result of cyber criminals. An even greater number have suffered inconvenience as a result of online security attacks: almost half (40 per cent) of respondents were obliged to change all of their passwords and over one in 10 (15 per cent) had to replace their bank cards.

The survey tabulated the five most common online threats to UK surfers:

1. Viruses (20 per cent)
2. Email hackers  (18 per cent)
3. Social media hackers (12 per cent)
4. Fraudulent selling (12 per cent) – over one in 10 people have bought something online that never arrived
5. Online credit card fraud (9 per cent)

The survey revealed that consumers frequently don’t change their behaviour even after being affected by a security breach. Of those who experienced an attack, 65 per cent of laptop users and 75 per cent of smartphone users continued to use their kit in the same way.

Francis Maude, the UK Minister responsible for cyber security in the Cabinet Office, said: “The internet provides us with so many opportunities – for education, buying and selling online, communicating with work colleagues, friends and family alike. But unfortunately there are always those who will seek to take advantage of us when we are online going about our everyday business.

“Get Safe Online’s new research shows that people are still at risk. We all need to take steps to spread advice on how to help prevent this sort of thing happening in the first place. By following some very simple steps and precautions available through getsafeonline.org, we can continue to take advantage of all the benefits the Internet has to offer, safely and securely,” he added.

Teenagers warned: stuff you upload online may re-appear elsewhere online

Separately, young people have been warned they might lose control over images and videos once they are uploaded online.

A study by the Internet Watch Foundation (IWF) found that 88 per cent of self-generated, sexually explicit online images and videos of young people are lifted from their original location and uploaded onto other websites.

IWF analysts encountered more than 12,000 such images and videos spread over 68 websites. In many cases, parasitic pornographic websites are lifting photos and videos uploaded by teenagers onto social-networking sites. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/22/getsafeonline/

More than 1,000 out of a sample of 13,000 Android applications analysed by German researchers contained serious flaws in their SSL implementations.

In this paper (PDF), the researchers from Leibniz University in Hannover and Philipps University of Marburg found that 17 percent of the SSL-using apps in their sample suffered from implementations that potentially made them vulnerable to man-in-the-middle MITM attacks.

They state that they were “able to capture credentials from American Express, Diners Club PayPal, bank accounts, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, remote control servers, arbitrary e-mail accounts, and IBM Sametime”.

In addition, since virus software also uses SSL, “We were able to inject virus signatures into an anti-virus app to detect arbitrary apps as a virus or disable virus detection completely.”

The problems arise because of developers misusing the SSL settings the Android API offers. Examples given by the researchers including apps that are instructed to trust all certificates presented to them (21 of 100 apps selected for a MITM test); 20 of the MITM-tested apps were configured to accepts certificates regardless of its associated hostname (for example, an app connecting to PayPal would accept a certificate from another domain). Other issues included SSL stripping and “lazy” SSL implementations.

Furthermore, the researchers note that a number of apps provided insufficient feedback to users – for example, failing to tell the user whether or not it was using SSL to transmit user credentials.

The researchers say the tool they developed for scanning apps’ SSL implementations, MalloDroid, will be available as a Web app and as part of the Androguard security scanner. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/21/android_app_ssl_vulnerability/

Recent warnings of a “cyber–Pearl Harbor” by US Defense Secretary Leon Panetta and others are hypocritical, according to a leading security expert, given that the US is responsible for most of the online attacks so far uncovered.

“If we look for offensive cyber attacks that have been linked back to a known government, we mostly find attacks that have been launched by United States, not against them,” said F-Secure’s chief research officer Mikko Hyppönen in a blistering blog post.

“As United States is doing offensive cyber attacks against other countries, certainly other countries feel that they are free to do the same,” he writes. “Unfortunately the United States has the most to lose from attacks like these.”

So far security researchers have identified five malware attacks that stem from Operation Olympic Games, a collaborative effort between the US and Israel to use malware offensively. The US government hasn’t denied the attacks are its work, Hyppönen notes, just launched an investigation to find out who leaked news of the program.

There’s very little incentive for a crushing attack against the internet, Hyppönen points out. Online criminals aren’t going to bork the net, since it’s their livelihood, while activists such as Anonymous have no motive either, since their power derives from being online. Other nation states would be better off using the internet for espionage rather than crashing the entire system, he notes.

Security experts are sharply split on the use of online weaponry to attack physical infrastructure. Some feel it’s a better option than putting humans in the line of fire, but many feel it sets a dangerous precedent. Hyppönen clearly counts himself in the latter camp. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/20/us_hypocrisy_warfare/

Hackers have lifted potentially sensitive data from the US National Weather Service after exploiting a vulnerability in the weather.gov website.

A previously-unknown group called Kosova Hacker’s Security claimed credit for the hack in a lengthy post on pastebin, containing a stream of data lifted as a result of the hack. Leaked data includes a list of partial login credentials, something that might give other hacking crews a head start in attacking the website, as well as numerous system and network configuration files.

The leaked information appears to consist only of system files and the like rather than scientific data, something that strongly distinguishes the breach from the so-called ClimateGate hack against the Climatic Research Unit (CRU) at the University of East Anglia back in November 2009.

The hacking crew said it took advantage of “local file inclusion vulnerability” that allowed it to ransack the weather.gov servers. Kosova Hacker’s Security said the hack was carried out in retaliation for American aggression against Muslim nations, including the Flame and Stuxnet malware attacks against the Iran nuclear program.

“They hack our nuclear plants using STUXNET and FLAME like malwares, they are bombing us 27*7, we can’t sit silent – hack to payback them,” The Hacker News quotes the hackers as saying.

KHS’ supposed grievance makes weather.gov a bit of of an odd target. However the group threatened to carry out further attacks against US government systems.

The weather.gov website was back up and running at the time of writing on Friday afternoon.

A post on Sophos’s Naked Security blog reports that the local file inclusion vulnerability was quickly patched but at least one other vulnerability, a cross site scripting hole, was subsequently discovered on the site. It’s unclear if the XSS vulnerability, which is the sort of thing that’s most useful for those interested in running phishing attacks rather than punching through web servers to hack into back-end databases, has been fixed as yet.

Weather.gov is run by the US National Weather Service, part of the National Oceanic and Atmospheric Administration (NOAA). NOAA is a unit of the US Department of Commerce in charge of providing “weather, water, and climate data, forecasts and warnings for the protection of life and property and enhancement of the national economy”. It’s also well known as custodian as one of the three main databases used to measure global warming: the other two belong to NASA and the British Met Office’s Hadley Centre. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/19/us_weather_service_hack/

Updated HSBC has blamed a denial of service attack for the downtime of many of its websites worldwide on Thursday night.

Various Reg readers told us they were unable to reach the HSBC UK and First Direct websites on Thursday, leaving them unable to carry out internet banking services. Problems kicked in just before 20.00 BST and lasted for around seven hours.

Unconfirmed reports suggest that HSBC was targeted by the Izz ad-Din al-Qassam Cyber Fighters as part of a current campaign (see Pastebin post*) to get the controversial Innocence of Muslims video removed from YouTube. The group also took credit for interrupting customer access to the websites of Capital One earlier this week, again without warning, WSJ reports. The same group staged a series of digital sit-in (denial of service) attacks against US banks including Bank of America and Chase last month.

Security researchers analysing the earlier attacks quickly came to the conclusion that they were largely powered by botnet networks of malware-infected PCs.

In a statement, HSBC said that attacks had affected customers worldwide, and reassured clients that sensitive account data was not exposed by the attack.

On 18 October 2012 HSBC servers came under a denial of service attack which affected a number of HSBC websites around the world.

This denial of service attack did not affect any customer data, but did prevent customers using HSBC online services, including internet banking.

We are taking appropriate action, working hard to restore service. We are pleased to say that some sites are now back up and running.

We are cooperating with the relevant authorities and will cooperate with other organisations that have been similarly affected by such criminal acts.

We apologise for any inconvenience caused to our customers throughout the world.

An updated statement from HSBC says that by 03.00 BST, it had brought all its websites worldwide back into service.

Darren Anstee, EMEA solutions architect team lead at Arbor Networks, said: “Recent attacks have used what we call multi-vector attacks, attacks which utilise a combination of volumetric, and application layer attack vectors. What we are seeing here are TCP, UDP and ICMP packet floods combined HTTP, HTTPS and DNS application layer attacks. Attackers are doing this because they know it makes the attacks more difficult to deal with, but not impossible if we have the right services and solutions in place.” ®

* Has anyone solved for “Panetta” (US Justice Department Secretary) yet?

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/19/hsbc_ddos/