STE WILLIAMS

With the FAA working on rules to integrate drones into airspace safety by 2015, the US government’s Congressional Research Service has warned of gaps in how American courts might treat the use of drones.

The snappily-headlined report, Drones in Domestic Surveillance Operations: Fourth Amendment Implications and Legislative Responses (PDF here), notes drones now in use can carry thermal imaging, high-powered cameras, license plate readers and LIDAR (light detection and ranging). “Soft” biometrics and facial recognition won’t be far behind, the report suggests, allowing drones to “recognize and track individuals based on attributes such as height, age, gender, and skin color.”

“The relative sophistication of drones contrasted with traditional surveillance technology may influence a court’s decision whether domestic drone use is lawful under the Fourth Amendment,” the report compiled by legislative attorney Richard Thompson II states.

The report expresses a view that in most cases, using drones to spy on people in their homes would have to fall within the legal “plain view” doctrine (which means police can only carry out surveillance of someone’s home from a “lawful vantage point”). However, areas nearby the home – say, in a driveway or at a gate – receive a much more ambiguous protection.

The report is also concerned that the falling cost of drones could, in itself, exacerbate privacy concerns, noting that: “access to inexpensive technology may significantly reduce budgetary concerns that once checked the government from widespread surveillance.”

The Congressional research report comes hard on the heels of a Panopticon-style FBI project became public. The Feds’ billion-dollar facial recognition “Next Generation Identification” project, described here in New Scientist.

Concerns about citizens being “droned” into a Panopticon aren’t confined to America. Following stories in the Sydney Morning Herald about the increasing adoption of unlicensed private drones in Australia, the nation’s Privacy Commissioner Tim Pilgrim has called for public debate about the technology, since the use of a drone by individuals “in their private” capacity is not covered by Australia’s Privacy Act. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/13/congress_warns_on_drones/

Fresh analysis of the Shamoon malware has concluded that its authors are more likely to be “skilled amateurs” rather than elite cyber-spies.

Shamoon has been linked to recent high-profile malware outbreaks at Saudi Aramco and RasGas, Gulf-based oil and gas firms. Saudi Aramco lost its network for 10 days as a result of the attack, which affected 30,000 workstations. The outbreak was particularly nasty because Shamoon contains file-wiping functionality that can make infected machines inoperable as well as destroying data.

A previously unknown group called Cutting Sword of Justice claimed responsibility for the attack. Reports by Reuters suggest an internal mole may have played a hand in spreading the malware, but this remains unconfirmed.

Security researchers at Kaspersky Labs have taken apart the malware, revealing the details of how Shamoon worked in the process. Dmitry Tarakanov concludes that controversial features, such as planting the image of a burning US flag and compromised PCs and (more damningly) coding errors mean that its more likely to be the work of amateurs than elite coders, such as the developers of either ZeuS or Stuxnet, for example.

Programming errors in the Shamoon communication module mean that the malware is incapable of downloading and running other strains of malware.

“We’ve got other clues that people behind creating the Shamoon malware are not high-profile programmers and the nature of their mistakes suggests that they are amateurs albeit skillful amateurs as they did create a quite practicable piece of self-replicating destructive malware,” Tarakanov concludes at the end of his technically detailed analysis. “The fact that they used a picture of a fragment of a burning US flag possibly shows that the motive of Shamoon’s authors is to create and use malware in a politically driven way. Moreover, they wished that their protest which was embedded into the malware would not go unnoticed.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/12/shamoon_analysis/

Hacktivist group Anonymous has been up to its old tricks again, this time claiming to have hacked and uploaded a heap of sensitive Cambodian government documents in retaliation for the arrest and extradition back to Sweden of The Pirate Bay (TPB) co-founder Gottfrid Svartholm Warg.

Warg was arrested in Cambodia by Swedish police under an international warrant and shipped back to the motherland last week to start the one year prison term handed down to him in 2009.

The co-founder of the world’s most famous torrent site may also face fresh charges of helping to hack the Swedish government’s tax office and IT consultancy Logica.

Anonymous released a short statement and links to over 5,000 sensitive government documents as part of a new campaign dubbed #OpTPB.

“In retaliation for extradition by Cambodian gov of our fella brother Gottfrid, we present this release of dozen government agencies and offices in Cambodia doxxed like hell,” it said.

“You will find there lotsa stuff including Cambodian and Nepal drug trafficking authorities, army, consulates, Kyrghyztan and Ukraine classified documents, Belarus, India etc etc all related to Cambodian authorities and business. Also included internet banking certificate depos and clients which belong to the mentioned authorities.”

The Wall Street Journal claimed last week that NullCrew, a group seemingly attached to Anonymous with a LulzSec-like logo, had also been up to mischief hacking various Cambodian government and armed forces web sites. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/12/anonymous_cambodia_optpb/

Pro-Syrian government hacktivists have cracked the mobile update service of al-Jazeera, the Qatar-based satellite news network.

Three fake news story were pushed through al-Jazeera’s SMS alert service as a result of the breach, the BBC reports. One of the reports was apparently a bogus alert that an attempt had been made on the life of Qatar’s prime minister, Hamad bin Jassim Al Thani. The pro-Assad Syrian Electronic Army (SEA) claimed responsibility for the assault.

The hack is the fourth of its kind over recent weeks. Last week hackers defaced al-Jazeera’s Arabic-language website, plastering the image of a Syrian flag on its front page. That particular assault – by a group calling itself al-Rashedon – followed a February defacement (a screenshot of that defacement was archived by thehackernews.com here), another attack claimed by the SEA. More recently the Syrian Electronic Army claimed to have been responsible for the hijack of al-Jazeera’s Twitter feed, where the hijacker posted updates denouncing Syrian opposition fighters.

The Syrian Electronic Army also targeted Saudi-owned Al Arabiya News, Reuters and a Harvard University website as part of an ongoing propaganda offensive on the web that has accompanied the bitter months-long civil war in Syria.

Gulf States have been supportive of Syrian rebels fighting against President Bashar al-Assad’s regime since the conflict began, a factor that has made al-Jazeera (in particular) a prime candidate for attack.

The Syrian Electronic Army maintains a fairly sophisticated website that has also been used to published the supposed email addresses and passwords of 11,000 NATO supporters and 700 Anonymous members. the authenticity of either list remains unproven. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/11/al_jazeera_mobile_service_hack/

Domain registrar GoDaddy has commented on the daylong DNS outage that downed many of its customers’ websites on Monday, saying that not only was a hacker not responsible, but that the service interruption wasn’t the result of a DDoS attack at all.

“The service outage was not caused by external influences,” Scott Wagner, the company’s interim CEO, wrote in a canned statement. “At no time was any customer data at risk or were any of our systems compromised.”

On Monday, a hacker using the Twitter handle AnonymousOwn3r claimed responsibility for the outage, saying he was attacking GoDaddy’s DNS servers “to test how the cyber security is safe and for more reasons i can not talk now [sic].”

Not true, says GoDaddy. Instead, the downtime was caused by “a series of network events that corrupted router tables.” The company says that it has since corrected the problems that triggered the outage and has implemented measures to prevent a similar event from happening again.

During the outage, GoDaddy shifted its own DNS servers to competitor VeriSign, Wired reports, so that the GoDaddy.com domain would remain online. But GoDaddy customer websites remained inaccessible for around six hours in all, beginning at around 10.00 Pacific time (17.00 GMT/18.00 BST) and ending around 16.00 Pacific (23.00GMT/24.00BST).

“Throughout our history, we have provided 99.999 per cent uptime in our DNS infrastructure,” Wagner wrote. “This is the level our customers expect from us and the level we expect of ourselves. We have let our customers down and we know it.”

The hacker collective known as Anonymous was quick to distance itself from AnonymousOwn3r’s claims, with several Anonymous-affiliated Twitter feeds denying that the group had anything to do with taking down GoDaddy.

On Tuesday, Twitter feeds were alive with speculation about the incident, with many accusing AnonymousOwn3r of fabricating his story. Others, however, were unsatisfied with GoDaddy’s explanation:

Not sure I buy GoDaddy’s story. Cascading Router TCAM issue causing DNS outage? Does not compute. Not validating @anonymousown3r #justsayin

— Jonnie Dangerously (@antagonisthero) September 11, 2012

AnonymousOwn3r himself maintains that he was solely responsible for the outage, and that GoDaddy is covering up his attack because it doesn’t want to reveal how weak its security really is. At this juncture, he is reportedly mulling ways to prove his credibility. ®

I think i will have to bring down godaddy.com again, so this way they would admit instead of hiding the attack.

— Anonymous Own3r (@AnonymousOwn3r) September 11, 2012

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/11/godaddy_outage_not_a_hack/

Security researchers have discovered a botnet that uses the Tor anonymiser network to hide its command nodes.

Owners of the compromised network of Windows PCs have placed their command-and-control server, which uses the common IRC protocol, as a hidden service inside of the Tor network. Aside from the use of Tor for extra anonymity and stealth, the zombie network is otherwise unremarkable, according to security researchers at German security firm G Data.

The botnet is capable of lending itself towards either running DDoS attacks, adware or secondary malware distribution, among other scams.

Botnet owners have moved from running a central CC server (subject to takedown) to using a peer-to-peer architecture over recent years. P2P systems give every zombie in a botnet the ability to issue commands to other drones. However, this introduces other problems for cybercrooks because it creates a means for either rival scammers or the authorities to take over their botnet, unless a strong and difficult-to-apply authentication mechanism is built into the systems to thwart potential hijacks.

Cybercrooks have also experimented with Twitter as a control channel, but the approach has not really caught on.

Tor is generally known as a web anonymization service but the technology also creates a handy means to build an IRC server as hidden service, a potential exploited by botherders.

This novel approach brings all sorts of advantages for zombie PC herders, as G-Data explains.

 Since the server is anonymous, it cannot point towards the botnet owners’ identity. Botnet control traffic is encrypted by Tor, so it can’t be blocked by Intrusion Detection Systems monitors (a standard component of modern enterprise security systems). Blocking Tor traffic in general is problematic because there are legitimate uses for the technology.

In addition, Tor servers can’t easily taken down. Although Tor tends to be slow and unreliable, due to in-built latency, this minor disadvantage is more than offset by the many advantages Tor offers as a venue for a botnet command server.

G-Data’s analysis of what it describes as the “latest evolution in botnet CC” can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/11/tor_controlled_botnet/

Security researchers have discovered a botnet that uses the Tor anonymiser network to hide its command nodes.

Owners of the compromised network of Windows PCs have placed their command-and-control server, which uses the common IRC protocol, as a hidden service inside of the Tor network. Aside from the use of Tor for extra anonymity and stealth, the zombie network is otherwise unremarkable, according to security researchers at German security firm G Data.

The botnet is capable of lending itself towards either running DDoS attacks, adware or secondary malware distribution, among other scams.

Botnet owners have moved from running a central CC server (subject to takedown) to using a peer-to-peer architecture over recent years. P2P systems give every zombie in a botnet the ability to issue commands to other drones. However, this introduces other problems for cybercrooks because it creates a means for either rival scammers or the authorities to take over their botnet, unless a strong and difficult-to-apply authentication mechanism is built into the systems to thwart potential hijacks.

Cybercrooks have also experimented with Twitter as a control channel, but the approach has not really caught on.

Tor is generally known as a web anonymization service but the technology also creates a handy means to build an IRC server as hidden service, a potential exploited by botherders.

This novel approach brings all sorts of advantages for zombie PC herders, as G-Data explains.

 Since the server is anonymous, it cannot point towards the botnet owners’ identity. Botnet control traffic is encrypted by Tor, so it can’t be blocked by Intrusion Detection Systems monitors (a standard component of modern enterprise security systems). Blocking Tor traffic in general is problematic because there are legitimate uses for the technology.

In addition, Tor servers can’t easily taken down. Although Tor tends to be slow and unreliable, due to in-built latency, this minor disadvantage is more than offset by the many advantages Tor offers as a venue for a botnet command server.

G-Data’s analysis of what it describes as the “latest evolution in botnet CC” can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/11/tor_controlled_botnet/

Gottfrid Svartholm Warg, a co-founder of download haven The Pirate Bay, is back in Sweden – and now faces allegations of playing a role in an attack on the country’s taxmen and IT consultancy biz Logica.

Warg was holed up in Cambodia when he was arrested on an international warrant obtained by Swedish officials and flown home after he failed to return to Sweden to start a one-year prison term. He was sentenced in April 2009 for being an accessory to breaching copyright laws.

It has now emerged, however, that Warg – who didn’t appear at a September 2010 appeal hearing against his conviction due to apparent ill health – was also deported from Cambodia after being deemed a possible suspect in the hacking of websites in Sweden.

The Swedish prosecutor’s office said in a statement (Swedish) on its website today that Warg was under preliminary investigation for his alleged involvement in the hacking of Logica and the country’s tax board.

The TPB man was cuffed on 30 August in Cambodia and then returned to Sweden, prosecutors said. He will be held in custody until 14 September. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/11/pirate_bay_co_founder_gottfrid_swartholm_warg_faces_hacking_allegations/

Gottfrid Svartholm Warg, a co-founder of download haven The Pirate Bay, is back in Sweden – and now faces allegations of playing a role in an attack on the country’s taxmen and IT consultancy biz Logica.

Warg was holed up in Cambodia when he was arrested on an international warrant obtained by Swedish officials and flown home after he failed to return to Sweden to start a one-year prison term. He was sentenced in April 2009 for being an accessory to breaching copyright laws.

It has now emerged, however, that Warg – who didn’t appear at a September 2010 appeal hearing against his conviction due to apparent ill health – was also deported from Cambodia after being deemed a possible suspect in the hacking of websites in Sweden.

The Swedish prosecutor’s office said in a statement (Swedish) on its website today that Warg was under preliminary investigation for his alleged involvement in the hacking of Logica and the country’s tax board.

The TPB man was cuffed on 30 August in Cambodia and then returned to Sweden, prosecutors said. He will be held in custody until 14 September. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/11/pirate_bay_co_founder_gottfrid_swartholm_warg_faces_hacking_allegations/

AuthenTec, the security firm that’s the target of an $356m acquisition by Apple, has denied reports that possible cryptographic weaknesses in its fingerprint scanner software pose a risk to the security of laptops.

Apple’s attempted slurp of the fingerprint-scanning firm, which also makes other security products, was announced in July, but Cupertino has yet to secure shareholder and regulatory approval for the deal.

UPEK (a firm acquired by AuthenTec in September 2010) supplies fingerprint readers to manufacturers including Acer, ASUS, Dell, Lenovo, Samsung, Sony, Toshiba and many others. The furore began after Russian password-cracking and auditing tools firm ElcomSoft announced recently that it had discovered flaws in the UPEK Protector Suite, a legacy but still widely used fingerprint reader software suite.

The package came pre-loaded onto many laptops prior to its replacement by AuthenTec’s latest line of TrueSuite software. UPEK Protector Suite manages fingerprint-reading hardware, offering users the option of using a swipe of a finger instead of typing in Windows login passwords.

ElcomSoft claimed laptops equipped with UPEK fingerprint readers and running UPEK Protector Suite stored Windows account passwords in a “barely scrambled but not encrypted” form in the Windows registry. Elcomsoft is withholding details on this security weakness, at least pending a fix from AuthenTec.

Given physical access to a laptop running UPEK Protector Suite, “we could extract passwords to all user accounts with fingerprint-enabled logon”, ElcomSoft warned in an advisory. Windows itself never stores account passwords unless users enable “automatic logon”, which is discouraged by Microsoft.

Corporates often bar Windows auto-logon. By contrast, fingerprint logon is rarely, if ever, barred. However the alleged security shortcomings of UPEK Protector Suite have cast doubt over the general assumption that biometrics security is better then password security. “UPEK Protector Suite simply stores the original password to Windows account, making it possible for an intruder to obtain one,” ElcomSoft warns, describing the approach as akin “introducing a paper link to a stainless steel chain”.

ElcomSoft notes that hackers with physical access to a laptop would probably be able to get at files and folders anyway. But it says the “security weaknesses” supposedly added by the fingerprint reader software would mean hackers would also be able to read EFS-encrypted files, which are secured with a Windows account password.

The Russian firm is advising users of UPEK Protector Suite to disable the Windows logon feature.

You’d need a key-logging exploit, in which case you’re screwed anyway

AuthenTec said on Friday that such measures were unnecessary. It downplayed the security weaknesses highlighted by ElcomSoft, arguing that (in practice) they would only be exploitable if a targeted laptop was contaminated with something akin to key-logger software, in which case hackers would already have complete control of a compromised machine anyway. Nonetheless, AuthenTec is promising an update to harden its AES key generation algorithm, which would be unnecessary if the implementation was already bullet-proof.

AuthenTec takes security seriously, which is why we contacted ElcomSoft shortly after their recent blog post which claimed that ProtectorSuite stores Windows passwords insecurely. AuthenTec evaluated ElcomSoft’s claims after they provided relevant information to the company last night. Based on the findings of our team:

• ElcomSoft confirmed passwords stored in ProtectorSuite were AES encrypted as AuthenTec expected.
• ElcomSoft has reverse-engineered the AES key generation algorithm in ProtectorSuite and written code that uses this information to unlock the AES encrypted storage

Any tool that were to use this code maliciously must be downloaded by a user and given administrator access rights to be effective – making it no more or less potent than widely available key loggers in harvesting personal information

In order to protect ProtectorSuite users in the event that ElcomSoft makes this code more widely available, AuthenTec is creating an update to ProtectorSuite with a hardened version of our AES key generation algorithm. We expect this new version of ProtectorSuite to be available on our website (www.authentec.com) for free download next week.

Users of ProtectorSuite with the Store To Device option available and enabled would not be affected, as keys are stored on the fingerprint sensor and are unique to each PC.

Elcomsoft’s warning that UPEK Protector Suite stores Windows account passwords in a “barely scrambled but not encrypted” form in the Windows registry is world’s apart from AuthenTec’s assurance that this info is encrypted using AES and safe – providing users are not tricked into downloading an running a decryption utility.

However ElcomSoft is sticking by its guns.

El Reg approached Elcomsoft for comment on AuthenTec’s rebuttal. Olga Koksharova, Elcomsoft’s marketing director, reiterated the Russian firm’s warning about the seriousness of the security shortcoming.

“There is a dangerous security vulnerability which is seriously aggravated by the fact that the security is designed particularly for laptops that are frequently shared among employees (or passed from one to another) and represent a very easy prey for thieves,” Koksharova told El Reg. “We found that administrator rights grant you a complete access to all other fingerprint-protected accounts which by the way also makes EFS encryption (if there was any) pointless since the password is known.

“It is the second [another] question if these admin rights were assigned to you by default or if you got them somehow else. Moreover, you can simply take out the hard disk and plug it into another system and read the Registry data from there (provided there was no full-disk encryption),” she added.

More commentary on the rival – and hard to reconcile – claims by AuthenTec and ElcomSoft can be found in a blog post by Sophos here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/11/fingerprint_scanner_crypto_warning/