STE WILLIAMS

Blogger Keith Ng, who went public over the deeply-careless kiosk implementation in New Zealand’s Ministry of Social Development job-seeker kiosks, has named the man that gave him the tip-off as Ira Bailey.

The revelation, which Ng writes was made with Bailey’s permission, adds a certain spice to the story, since Bailey is an activist who was arrested in 2007 as part a series of raids over “terrorist” camps in New Zealand’s Urewera Ranges. Charges were not pursued.

Ng states that Bailey had asked the MSD whether it offered any kind of “bug-bounty”, and denies that this inquiry amounted to a “demand” for money.

While not describing the request as a demand, ministry CEO Brendan Boyle said yesterday that “He indicated he would be prepared to co-operate with us if there was a reward for providing information. We made it very clear we didn’t provide money in situations like that.”

According to Ng, Bailey discovered the security vulnerability while trying to work out why a kiosk didn’t load his USB key: “he had a poke around the file system to find it – and found the giant vulnerability instead”.

The kiosks were installed by Dimension Data, which earlier this year reportedly conducted an audit of the system.

While calling the privacy breach “totally unacceptable”, NZ prime minister John Key has lashed out at Bailey, saying in a television interview that Bailey should have identified the kiosks as vulnerable when he first contacted the ministry.

The political row over the privacy breach seems certain to widen, since the security of government information has been a sore point for some time. In 2009, that country’s Privacy Commissioner criticized the security of citizens’ information across a range of departments.

New Zealand’s Accident Compensation Corporation is under siege after last year releasing thousands of customer records by accident. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/15/keith_ng_names_bailey_as_source/

A series of what are claimed to be leaked training manuals show that ATT will get a lot more aggressive with its customers over suspected internet piracy, beginning this November.

The documents, allegedly obtained by TorrentFreak, say that ATT will contact customers who have been identified as pirates by copyright owners. The firm will then give users six strikes, with a variety of methods of censure, if they are accused of breaking copyright law.

“In an effort to assist content owners with combating on-line piracy, ATT will be sending alert e-mails to customers who are identified as having been downloading copyrighted content without authorization from the copyright owner,” the documents read.

“The reports are made by the content owners and are of IP-addresses that are associated with copyright infringing activities. ATT will not share any personally identifiable information about its customers with content owners until authorized by the customer or required to do so by law.”

The incomplete leak shows that on the fourth warning ATT customers will be redirected to an “education page” when they try to reach certain unspecified sites, although El Reg would lay a bet The Pirate Bay is on the list. Offending customers will have to complete an educational tutorial about copyright before they are allowed to carry on browsing to those sites.

By the fifth alert, ATT’s documents say copyright holders will be able to start legal action against the customer, and the company will hand over the personal information of the user in question upon receipt of a court request.

The date for introducing this comes on November 28, in the week following the Thanksgiving national holiday, and it is expected that Cablevision, Comcast, Time Warner Cable, and Verizon will announce similar plans around that time – but no one is talking to the press about it.

The organization identifying copyright infringement is thought to be the Center for Copyright Information (CCI), which is proposing the six-strikes system. On its website the organization – which is made up of copyright holders, ISPs and privacy groups – details the six-strikes process, dubbed the Copyright Alert System.

Under the proposed system, the RIAA and MPAA will notify CCI of any IP address it suspects of harboring pirates. Users will then receive a series of warnings, which after the first two suspected infringements will require a user to acknowledge receipt of the information, and then a graduated system of “mitigation measures”, although the CCI states that cutting off internet access altogether isn’t in the cards.

“Mitigation Measures may include, for example: temporary reductions of internet speeds, redirection to a landing page until the subscriber contacts the ISP to discuss the matter or reviews and responds to some educational information about copyright, or other measures that the ISP may deem necessary to help resolve the matter,” the CCI states.

Users who feel they have been falsely accused have a right of appeal at any stage, the CCI states, and any requests will be subject to an independent review from the American Arbitration Association. There’s no mention of what kinds of costs will be involved in appealing.

ATT’s six strikes scheme is similar to that run by the French government under the name Hadopi, although the French system is seems tougher – it only allows for three strikes. So far the Gallic scheme has sent out over a million emails warning internet users who have been suspected of piracy. That country’s government has spent around €12m a year since 2010 on the agency, which employs 60 copyright police.

The net result of all that effort is that no one has been prosecuted under the scheme, and peer-to-peer use in France actually went up after it was started. The new French administration is now considering cutting the scheme as a waste of taxpayer money, although Hollywood mogul Harvey Weinstein loves it. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/15/att_piracy_plan/

Antivirus tests that assess the effectiveness of security products from the moment users visit infected websites have exposed widely differing performances among the various anti-malware products.

The unsponsored tests by Dennis Technology Labs, which were run over a three-month period, revealed that the efficacy of paid-for anti-malware security suites varies widely, but that all of them beat Microsoft’s free product. The exercise also discovered that blocking malicious sites based on reputation or on the presence of at least one false positive (labeling a legitimate application as malicious) was an effective approach in all the tested products.

The researchers exposed test systems to infected websites that exploit vulnerabilities to drop malware on systems to look at how well web reputation and exploit detection built into modern security packages worked. “This means that we provide a complete environment, allowing the products to use a wide range of in-built technologies to defend themselves,” explained Simon Edwards, technical director at Dennis Technology Labs.

The researchers looked beyond file detection, behaviour analysis and on-demand scanners’ features and analysed how systems loaded with security packages behave when exposed to threats on the interwebs. The exercise – framed within the guidelines of the Anti-malware testing standards organisation (www.AMTSO.org) – looked at the efficacy of consumer, small-business and enterprise security suites.

Kaspersky Internet Security 2012 and Norton Internet Security 2012 both earned the highest “AAA” ratings for their consumer security software. BitDefender Internet Security 2013 and ESET Smart Security 5 both scored a “AA” rating”. Other consumer security packages put through their paces earned lesser rankings. Trend Micro Internet Security 2012 scored a “B” while AVG Internet Security 2012 only managed a “C”. McAfee Internet Security 2012 and Microsoft Security Essentials failed to achieve a passing grade.

Sophos Anti-Virus Business and Kaspersky Small Office Security earned the highest “AAA” rating for their small business products, with Trend Micro Worry-Free Business Security Services and Symantec.Cloud earning an “A”.

But despite a mediocre rating in other categories, Symantec Endpoint Protection was on its own with a triple AAA rating in the enterprise category. Only Kaspersky Endpoint Security for Windows, which earned an “A”, got anywhere close.

The Dennis Labs results went beyond on-access and on-demand scanning results and probed a wider range of blocking techniques found in modern anti-malware products. Using less usual (arguably more comprehensive) criteria also meant some well-regarded consumer security products that normally test well performed poorly.

“McAfee and AVG did relatively poorly in the consumer test because they were compromised quite a few times, and neutralised fewer threats than the better-performing products,” Edwards explained. “This could be because the web reputation systems were not as strong as those of the other products. That’s my best guess. The best ones simply blocked the sites and so did not have to grapple with recognising and terminating malware.”

Different Strokes

The researchers’ results were also unusual in that they had different vendors winning each of the three of the categories. Edwards explained that tests can reveal difference between products, even from the same vendor.

“Sometimes this is because the settings have been changed for different markets,” Edwards told El Reg. “For example, a vendor may tune a business product to generate false positives less often than a consumer product.

“Vendors also include different sets of features and technologies in different products. Some may try out new engines or techniques in consumer products and then push these out to business products when they are sure that they are stable. Some take the opposite approach, trying out new technologies in their business products.

“There is another, more interesting reason, for the difference in effectiveness. There can be bugs in one product that don’t exist in another. For example, Kaspersky’s results differ because of one such issue,” he added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/15/anti_virus_tests/

A second suspect has admitted involvement in high profile attack last year against Sony Pictures website by notorious hacking crew LulzSec.

Passwords and personal information leaked as a result of the breach in May 2011. The site was breached using an SQL injection attack, a common hacking technique, to extract personal information (names, birth dates, addresses, emails, phone numbers and passwords) of individuals who had entered Sony competitions. At least 38,000 records were exposed.

Raynaldo Rivera (AKA “neuron,” “royal,” and “wildicv”), 20, of Tempe in Arizona, appeared in court last week to plead guilty to involvement in the hack. Another suspect, Cody Kretsinger, 23, of Phoenix, Arizona, pled guilty to similar computer hacking and conspiracy offences back in April as part of a similar plea-bargaining agreement.

Both are due to be sentenced in next year.

Rivera used the HideMyAss anonymising proxy service in an attempt to disguise his IP address while he carried out reconnaissance work, probing Sony Pictures’ website for security vulnerabilities. HideMyAss turned over his IP address after the authorities issued a court order, ultimately exposing Rivera’s identity. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/15/lulzsec_suspect_pleads_guilty_sony_hack/

UK car parks are now reading number plates to ensure everyone pays their due, with payments deducted from the account and unregistered parkers getting a ticket while everyone gets tracked.

The system is called SwishPARK and already operational in eleven car parks, six in Welwyn Garden City, the rest scattered around England. The companies involved are planning a rapid expansion.

The charging is handled by paythru, who already provide mobile billing for car parks – enabling registered users to pay for parking by texting the car-park code to paythru – but now even that stage is removed with SwishPARK which just reads the number plate as one enters a parking area and deducts the cost when one leaves, spotting unregistered parkers at the same time.

The technology is nothing new, but this launch significantly increases the spread of numberplate scanning by bundling it all into a publicly-available package. Ranger Services provides the automatic number plate recognition (ANPR) tech here while Parkeon has the spaces and paythru collects the cash.

Every car which enters a SwishPARK site has its number plate read, the details being run though the paythru database to identify the account. If there’s no account then the driver is given a little time to pay by other means (paythru can take registrations though a .mobi site) but eventually a fine will be issued which can be served via the DVLA details linked to the plate.

As one account can be used to park in any car park, paythru gains lots of useful demographic data about where people are going and when, but the company told us it has no plans to do anything with that information despite the way it encourages car parks to make use of the location-specific data they’ll be provided with.

Paythru is very excited about the potential for that data, and provided an example: a case of mysteriously-packed car parks which turned out to be down to the opening of the Twilight movie nearby, which definitely begs some privacy questions.

Seeing Twilight is certainly something one would want to keep quiet about, unless one is a teenage girl, but given one’s credit card company, mobile operator and the cinema itself will soon know then any chance of keeping such a foul deed under one’s hat would seem minimal. Should the car park really be a worry then travel by motorcycle, as SwishPARK admits that the lack of front plate makes two-wheeled transport invisible to them. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/15/parkreg/

A row has broken out in New Zealand after a blogger exposed serious security flaws in that country’s job-seeker network.

The blogger, Keith Ng, demonstrated that public job-seeker kiosks had unauthenticated access to the corporate network of the Ministry of Social Development (MND).

His posting raised concerns that attackers might have similar access to MND documents not only from kiosks, but from the Internet. The MND has shut down all kiosks while it investigates the incident, but has still been criticized by Paul Matthews, CEO of NZ’s Institute of IT Professionals, for a “systematic failure of IT security and governance”.

Ng himself, however, has come under criticism for his voracious appetite for grabbing files to prove his point. As his blog post shows, Ng took a look at files for contractor invoices, hours worked, medical information, debt collection, fraud investigation. He notes that “I sorted through 3,500 invoices … about half of what I obtained”.

While demonstrating that the network was unsecured represents a considerable service to the public, not knowing when to stop has probably put the blogger well on the wrong side of the law. Over at National Business Review there’s some lawyerly punch and counterpunch about whether, in fact, Ng went so far he’s at risk of jail under New Zealand’s Crimes Act, even though “prosecution guidelines meant action was unlikely to be taken”.

Ng’s blog post notes his intention to hand all the documents he obtained over to New Zealand’s Privacy Commissioner. ®

bUpdate: The New Zealand government and the Ministry of Social Development have held a press conference in which the Minister, Paula Bennett, has apologised for the security breach.

It appears unlikely that Keith Ng will be prosecuted, with the ministry’s CEO Brendan Boyle telling the press conference he appreciated that Boyle had kept the information he gathered secure, and had communicated with the New Zealand Privacy Commissioner.

“Let’s get to the bottom of it, find out how and why, and make sure it never happens again. I am mortified … that anyone’s information was accessed in this way,” the minister said.

Boyle has announced an inquiry, with terms of reference to be set within the next 24 hours and a report requested within two weeks, saying “I want to find out why the system was architected in a way that is insecure”. He told the press conference he expects both the terms of reference and the report to be made public within the constraints of security.

Boyle also told the press conference that an unnamed individual had contacted the ministry last week, offering to exchange information about the kiosks’ insecurity for money. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/14/nz_mnd_leaks_data/

Android malware is on the rise, but the good news is that Google isn’t sitting still for it. The search giant is reportedly readying a comprehensive anti-malware system for its mobile OS that will soon be able to spot malicious apps not just in the Google Play store, but also on Android devices themselves.

According to a report by the Android Police fan site, the latest, as-yet-unreleased build of the Google Play shopping app contains code snippets that suggest links to a future onboard malware scanner.

Text strings included in the Google Play 3.9.16 APK package file include such tidbits as, “Allow Google to check all apps on this device for harmful behavior?” And, “To protect you, Google has blocked the installation of this app.”

These phrases are apparently text prompts that will be offered by a forthcoming Google Play feature, identified in the new build as “App Check.”

To be clear, this anti-malware feature is not yet actually included in any known build of the Google Play app. Another text string found in the new app package says, “To learn more, go to Settings Security” – but no such settings panel exists in the 3.9.16 version.

Rather, the presence of these items is strong evidence that malware scanning is a feature that Google is currently cooking up in its labs, and which will eventually appear in some future version of its store app.

That will be good news for Android users. The Chocolate Factory already scans apps in the Google Play store for malicious behavior using a system known as Bouncer, but that hasn’t prevented a number of high-profile incidents in which scammers have used rogue apps to swindle Android users out of cash and device data.

Most recently, some 1,400 people in the UK were left lighter in the pockets after they downloaded Android scam apps disguised as the latest Roxio Angry Birds game. What the rogue apps actually did was send SMS messages to premium-rate services, costing the unwitting users up to £15 each.

Part of the problem is that unlike Apple iPhones, Android phones generally allow users to install apps from sources other than the Google Play store, which can be risky. Some models require the user to explicitly enable this capability, while others ship with it switched on by default.

So far, Google’s server-side Bouncer app scanning has had no way to screen apps from third-party app stores. But with anti-malware capabilities installed on the devices themselves, Android handsets and fondleslabs will be able to flag suspicious apps no matter where they come from.

For now, however, exactly how Google’s on-device malware scanning will work – and how well – is strictly up to speculation.

So is when it will actually become available, although there’s a good chance it might arrive with the next version of the Android OS. Rumor has it that version will be known as Android 4.2, code named “Key Lime Pie,” and it could ship with an upcoming LG handset as soon as November. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/13/android_ondevice_malware_scanning/

RSA Europe Small businesses should consider the possibility of developing well formulated plans for “hacking back” at aggressors in the event of a hack attack.

Presenting an “active defence” would not be a form of vigilantism and could even work within the law, argued two speakers at a presentation at the RSA Europe conference.

Companies and governments are constantly under siege by hackers and malware. Standard incident response is failing and police are overstretched. Faced by these challenges, small businesses have the option to actively respond against attackers rather than mounting only a passive defence.

Rather than jumping to the conclusion that any defensive action beyond currently accepted techniques is illegal, better and more effective options need to be considered, the argument runs.

David Willson, a lawyer at Titan Info Security Group, a retired US Army officer, said active response could include measures such modifying a persistent bot infection on a network so that a command channel is swamped. The particular response ought to depend on the severity and persistence of a threat. Measures such as running a honeypot can also help.

Small businesses ought to consult with lawyers beforehand in coming up with an active defence response plan that’s akin to a disaster recovery procedure.

Attribution is normally considered a difficult problem in determining the source of cyber-attacks.

Davi Ottenheimer, president of flyingpenguin, an expert in incident response and digital forensics, added that attackers running denial of service attacks almost always connect back to their main server.

Microsoft’s ongoing Project Mars (Microsoft Active Response for Security) botnet takedown campaign has been criticised by elements of the security community for failing to work with law enforcement. The lack of liaison means that takedowns could interfere with ongoing (secret) police investigations.

Similar criticisms might potentially be levelled at small businesses running an active defence.

Ottenheimer argued that if law enforcement can’t help businesses then businesses are entitled to take their own action. “At the very least you can make it too expensive for attackers to target you so that they move onto other targets,” he said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/12/active_defence/

Members of hacker collective Anonymous have stopped supporting Wikileaks after the site put up a paywall, saying that Wikileaks is more bothered about Julian Assange™ than getting information to the public.

In a statement on Pastebin, linked through from Anonymous Twitter account AnonymousIRC, the group said Wikileaks had turned into the “one man Julian Assange show”.

“The idea behind Wikileaks was to provide the public with information that would otherwise being kept secret by industries and governments. Information we strongly believe the public has a right to know,” the statement said.

“But this has been pushed more and more into the background, instead we only hear about Julian Assange, like he had dinner last night with Lady Gaga. That’s great for him but not much of our interest. We are more interested in transparent governments and bringing out documents and information they want to hide from the public.”

As well as getting ticked off with the site’s focus on its founder, Anonymous also disagrees with the new way it’s soliciting donations. Visitors to the site are now getting a pop-up donation page before they can read any documents. The only way to get around the donation page is to give Wikileaks some money or disable Javascript to get through to leaked documents.

“The casual user (which is the majority) usually has Javascript enabled and thus will be blocked by the donation banner and denied the content. Additionally, the casual user does not know that he needs to disable javascript to get to the content without paying – sorry, donating,” Anonymous complained.

The anarchic online hacker collective and the leaked document website used to be good friends, with Anonymous supplying content to Wikileaks and supporting Assange’s attempts to avoid extradition with attacks on websites.

But Anonymous has tweeted that its outrage at Wikileaks trying to drum up donations and said it won’t “pay for Assange’s lawyers”.

The group said it still doesn’t think Assange should be extradited but it “cannot support anymore what Wikileaks has become”. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/12/anonymous_drops_wikileaks/

RSA Europe Wikipedia founder Jimmy Wales said the site’s blackout played a key part in defeating the USA’s controversial Stop Online Piracy Act (SOPA).

The English version of Wikipedia, Reddit and hundreds of other smaller websites coordinated a notional service blackout for a day in mid-January to raise awareness of SOPA. Wales described SOPA as introducing a Chinese-style blocking system in response to complaints about copyright infringement. In response, Wales said, 10 million people contacted Congress (an unnamed senator told Wales) and the bill was pulled days later.

“I am quite anti-piracy. This was a strike against bad legislation,” the beardy Alabama native said. “Those who say this was Silicon Valley versus Hollywood are missing the involvement of the general public. Too much power to arbitrarily shut down websites is dangerous.”

The blackout of Wikipedia followed a similar effort in Italy and was followed by a far less successful campaign in Russia. Wales, who has moved to the UK and now lives in London, suggested that the Wikipedia community would be very selective about wielding the tactic in future protests. He said the rule of thumb would be that the protest should involve an issue that affects Wikipedia’s core operations (such as freedom of speech) rather than as a part of a mass protest about a more general issue, such as economic austerity programmes or a proposed war.

Wales hit the news recently with campaigns against the UK’s draft Communications Data Bill, described by critics as a “Snooper’s Charter”, and also when he set up a petition requesting that Home Secretary Theresa May block the extradition of UK student Richard O’Dwyer to the US over alleged copyright infringement offences connected with his TVShack.net site.

The Communications Data Bill, should it become law, would make it somewhat more feasible for government agencies to monitor traffic via Facebook, Skype and Twitter private messages. Only the parties involved in messages and not the content of messages would be recorded.

Wales objects to the measure on privacy grounds, arguing it would be far better to apply a legal process to tap the communication of specific suspects rather than “escrowing and pre-archiving 66 million people’s data on the premise that a handful of them might be paedophiles”.

Last month Wales raised the possibility of encrypting all connections with Wikipedia if the controversial draft bill becomes law. Speaking at the RSA Europe conference this week, Wales gave no timetable on when this might happen. He said that moving to the Hypertext Transfer Protocol Secure (HTTPS) by default was desirable anyway, but that UK Snooper’s Charter might speed up this process.

“We should all be moving to HTTPS everywhere to secure connections to websites,” and prevent attacks such as session hijacking, Wales said. He added that Google’s experience showed that applying encryption doesn’t add much in extra costs. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/12/jimmy_wales_wikipedia_keynote_rsa/