STE WILLIAMS

Cylink’s Justin Clarke has tagged another SCADA maker for default insecurity, discovering a hidden factory account – complete with hard-coded password – in switch management software made by Belden-owned GarrettCom.

As the Department of Homeland Security’s ICS-CERT advisory (PDF) notes, the company’s Magnum MNS-6K management application allows an attacker to gain administrative privileges over the application and therefore the SCADA switches it manages.

The advisory states that a patch issued in May removed the vulnerability. However, since the vendor’s patch notice didn’t document the change, it’s possible that customers may not yet have implemented it.

Since GarrettCom claims “75 percent of the top 100 power utilities in North America” among its customers, the patch might be regarded as important.

Clarke seems to have struck a rich seam looking for undocumented insecurities in SCADA kit. In April, he sniffed out a similar default account vulnerability in RuggedCom kit, following it up in August with the discovery that the same vendor had a hard-coded RSA key in its switches.

Cylance’s advisory about the vulnerability says that while the factory account is only intended for use over the local console port. However, while not documenting the process, the company says it’s possible for someone logged in via a guest account (which wouldn’t be restricted to the serial port) could get themselves escalated to the factory account. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/05/more_insecure_scada/

The world’s change-rooms and fitness clubs might get that little bit more private, if Apple actually implements its latest patent, to enforce a shut-down of a phone’s camera in “a sensitive area”.

Of course, it’s just as likely that if this patent ever makes its way to a product, it could also be used by copyright-holders to forbid photos of events like sports fixtures (El Reg can imagine the IOC writing to Cupertino already), or by police who seem to think the panopticon should only work in their favour.

The Lords of the Rounded Corner suggest that policy enforcement could be decided according to which base station the phone is logged into, or on the presence of other device.

This second function probably isn’t too bad an idea, given the number of users who appear blissfully ignorant of their unsecured Bluetooth, for example.

Policies imagined by the patent include dimming and muting devices in a movie theatre (or, The Register supposes, shutting off the camera to prevent copies being made), preventing communication between devices, or forcing a “sleep mode” in a “sensitive area”.

The claims aren’t confined to a Rectangular Device with Slightly Rounded Corners: Apple also sweeps up the base station capabilities in the patent. It also covers the use of GPS to determine whether a device is in a sensitive area. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/06/apple_remote_kill_patent/

The non-profit group Nature of Change claims to be the victim of a politically motived DDoS and hacking attack after it debunked a report into the health benefits – or lack of same – of organic foods.

At the start of the week Stanford University published a report suggesting that organic foods contain about the same nutritional value as non-organic foods, and are not necessarily safer. In response, Nation of Change published a step-by-step rebuttal of the study – but its website was hit almost immediately by a DDoS attack that took down its servers.

Such attacks aren’t uncommon these days, since any script kiddy can download free code to stage a DDoS with very little resources. But the group says the attack was followed up by a hacker that got into their servers and tried to delete the article itself.

The group experienced a similar attack last year which also tried to remove information from their site. That piece, entitled “Hungary Destroys all Monsanto GMO Corn Fields“, was briefly removed from the site by unknown hackers.

“The attacks show nothing more than the fact that organizations with serious vested interest in deception and fortified corruption are desperately clinging on to any shred of credibility that they have left,” the group said. “By the way, we cannot confirm at the time who issued the attacks. What we can say, however, is that it is an organization with large scale capability.”

After a lengthy upgrade, the website is now back online and functioning normally. El Reg contacted Nature of Change for additional information and comment, but received no response in time for publication. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/06/charity_ddos_attack/

Mobile users are getting a lot smarter about what they are willing to share with application developers, with over half deciding against downloading an app because of the information it sought to harvest.

The latest research conducted by the Pew Internet Project surveyed over 2,500 US cell and smartphone users, and found that 43 per cent of mobile phone owners are downloading and using applications on a regular basis, up from 31 per cent last year.

But that growing tribe of mobile app users is more discriminating about which apps they use: 54 per cent refused new apps over privacy concerns, and three out of ten have removed installed applications because of the data they grab.

“Outside of some modest demographic differences, app users of all stripes are equally engaged in these aspects of personal information management,” the research finds. “Owners of both Android and iPhone devices are also equally likely to delete (or avoid entirely) cell phone apps due to concerns over their personal information.”

This cautiousness differs sharply by age. Around 44 per cent of teenager cell phone users flush out their history cache once in a while, compared to just 11 per cent of the over-65s. Similarly, a third of cell phone owners in their 20s turn off location-based applications, compared to 4 per cent of those old enough to be eligible for Medicare.

Smartphone users are generally more protective of their personal data and the applications it is shared with. Half of them clear their browser history, compared to a third of cell phone users, and they’re around a third more likely to turn off location-tracking apps. Six out of ten smartphone users back up their data, double that of cell phone users.

Despite being more hands-on with their phones, smartphone users are twice as likely than cell phone holders to report having had their privacy breached. When it comes to getting phones lost and stolen, there’s little difference between smart and cell phone users, with around a third reporting at least one incident.

There was some unexpected good news for RIM buried in Pew’s data: BlackBerry users are by far the most likely to report a handset lost or stolen – 45 per cent compared to 36 per cent of Android owners and 30 per cent of iPhone adherents – but only 4 per cent reported losing any personal data. By contrast 16 per cent of iPhone and 17 per cent of Android users had their data accessed in the same situation.

This is good news for RIM’s security reputation, and the lost or stolen stats should also please the Canadians’ sales department. After all, having a higher percentage of forgetful or unlucky users might allow the company to shift a lot more handsets when the new BlackBerry 10 operating system finally makes it to market next year. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/05/pew_mobile_app_survey/

A dog named Jazz has been trained to sniff out forensic markings on metal to help cops nab crooks who pinch copper cabling from BT’s underground telephone network.

Come on, show us your Jazz hands

The two-year-old black labrador from Blackpool was described as the “first detection dog” of its kind in the world to sniff out stolen metal in scrap yards and other locations where nicked copper or lead might be hard for the human eye to spot.

Home Office police dog instructor Mick Swindells, who is a former Lancashire Constabulary cop, trained Jazz to locate scented forensic markings on metals such as copper, lead and aluminum.

“As humans we can only search in 2D ie. in the line of sight, but dogs can search in 3D by using their noses. They can be incredibly accurate, and can pinpoint their target to within a couple of centimetres,” he said.

A chihuahua spotted acting suspiciously

around a BT box last night

The cost of metal pinching to Britain’s taxpayers is said to have jumped from £700m in December last year to £770m as of today. Around 1,000 such thefts are reported to the police each week.

Selectamark Security Systems, which provides its SelectaDNA product that helps to identify property and link thieves to crime scenes, counts police forces in the UK and companies including Network Rail as some of its customers. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/05/metal_theft_sniffer_dog_deployed/

A security researcher has warned of new vulnerabilities in former Tory MP and chick-lit queen Louise Mensch’s three-month-old chatroom-cum-microblogging service.

A “trivial” CSRF attack (‪cross-site request forgery‬) can change a Menshn.com user’s password, according to developer Danny Moules. El Reg has seen proof-of-concept code developed by Moules (@Rushyo) – which has not been publicly released – that backs up his concerns. Assuming targets are logged into Menshn.com, any third-party site might be able to change a victim’s Menshn password or registered email address, by using the unresolved CSRF vulnerability on the site to forge requests.

However, both Louise Mensch and the site’s co-founder Luke Bozier, a one-time Labour party flack who defected to the Tories earlier this year, were quick to dismiss concerns about the alleged flaw when approached for comment by El Reg.

“Not true at all. Menshn is 100% secure. There has never been a CSRF attack and I’m sure I know how to Google what that is,” Bozier said in a Twitter message.

Mensch added: “Passwords are encrypted: HTTPS.”

Menshn.com was the subject of a barrage of criticism from security experts when it launched in the UK back in June. Bozier described critics at the time as “snippy geeks”.

Since its launch, Menshn has mandated the use of an SSL encrypted tunnel for password exchange and applied a basic filter to stop basic XSS (cross-site scripting) attacks. However many problems remain, according to Moules.

Moules told El Reg: “The CSRF is just the latest in a long list of issues they’ve had, many of which are still at large. Some people are actively exploiting some XSS holes using a technique that I warned them about months ago (a ‘social network worm’, so to speak).”

Nick Shearer, a London-based mobile software engineer, who was among the first to document XSS issues on Menshn.com back in June, said that the latest CSRF flaw warning is all too credible.

“It definitely looks sound. I haven’t tested it because CSRF attacks are a bit more serious than XSS scripting, and English law takes a fairly backwards view of doing this sort of thing, even with the best of intentions. But there’s nothing in that code that suggests it’s not a real exploit,” he told El Reg.

Menshn.com social network aims to differentiate from other web jabber services such as Twitter by offering online chat rooms featuring on-topic discussion around a particular theme, such as UK politics or the Paralympics. Posted comments are deleted after a week and Menshn promises to offer an environment free of spam and trolls. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/05/menshn_password_reset_vuln/

GCHQ, the UK’s nerve-centre for eavesdropping spooks, will advise the nation’s business leaders on how best to thwart attacks by hackers.

The educational programme, dubbed Cyber Security for Business, was launched today at an event that brought together chief execs of FTSE 100 companies, government ministers and officials from security and intelligence agencies.

The Communications-Electronics Security Group (CESG) within GCHQ has advised organisations on best practices for IT defences for many years, but this latest scheme puts the intelligence services directly in touch with the private sector for the first time, The Independent reports.

GCHQ drew up a dossier titled Top 20 Critical Controls for Effective Cyber Defence for the programme, which David Emm – senior regional researcher at Kaspersky Lab – likened to a “promo event” for the government’s £650m effort to bolster Blighty’s electronic defences. “Cyber security” was rated alongside terrorism as a “tier-one security challenge faced by the UK” in the Cabinet Office’s National Security Strategy, which gave GCHQ the lead role in protecting the country’s infrastructure from attacks.

Emm told El Reg that threats range from vandalism by political protesters to industrial espionage by rival firms and foreign intelligence agencies, as well as more conventional hacking and malware-based attacks.

From visiting boardrooms to monitoring citizens

UK security chiefs have pushed for an expanded role in “monitoring unusual network traffic” and repelling hacker attacks against critical infrastructure – such as electricity distribution and water pumping – for more a year.

Under draft plans, an expanded national cyber-security hub at GCHQ would monitor data in transit from “major communications, power and transport providers for evidence of hacking”, which would be a big expansion of powers for the small team at the Cyber Security Operations Centre. It is tasked with providing intelligence about threats to national security.

It’s unclear whether the Cyber Security for Business programme will form part of these proposals or is simply a more modest outreach project.

Mark Brown, director of information security at management consultants Ernst Young, welcomed the launch of Cyber Security for Business. He said: “[The] launch is a welcome move by government and serves as a wake-up call to UK Plc on the need to elevate cyber security on the boardroom agenda.

“Recent high-profile breaches and industry research shows an over confidence in organisations’ approach to the subject which remains focused on driving IT compliance. The changing risk landscape, now more than ever, requires a shift in focus to recognise the strategic importance of protecting a company’s information assets.

“Although this is an appropriate short-term solution, the longer term cure for this problem surely involves re-evaluating the skills and knowledge gap in industry rather than government intervention.”

Recent research [PDF] from Kaspersky Lab revealed that although businesses recognise IT security threats as a pressing problem, huge gaps in defences remain. Almost half (48 per cent) of 3,300 IT professionals who responded to the global survey admitted they are insufficiently protected against the theft of intellectual property.

Separately, a survey of 320 UK IT professionals by Check Point, published today, found that a third said their primary focus was on stopping external assaults – such as hacking, distributed denial of service (DDoS) attacks on websites, and malware – while 26 per cent said their main challenge was preventing inadvertent data losses by employees. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/05/cyber_security_gchq_launch/

Guiness World Records has owned up to leaking 1,070 email addresses of Redditgifts users who won the record for the Largest Online Secret Santa.

Redditgifts bagged the record with 30,250 users in 115 countries handing out presents to each other last Christmas. Redditors involved were able to apply for a certificate of participation for a nominal fee.

Yesterday, over 1,000 British Santas got an email about the delay on getting their certs with each other’s email addresses CC’d in.

GWR immediately copped to the breach and said they’d be informing the UK’s Information Commissioner’s Office about it.

“Guinness World Records today was responsible for a breach in relation to email data for a group of our record-holders for the ‘Largest Online Secret Santa’. Unfortunately this breach was a human error by one of our staff,” GWR said.

The record-book makers also said that everyone who had their email address handed out would get a full refund and still receive their certificate.

Some affected Redditors said they’d been inundated with spam, but most were understanding about the leak.

“I’m sure it was an honest mistake, I hope the poor employee doesn’t get fired. I too, found the whole thing hilarious with all the replies from the other redditors. Heh. Thanks for the email acknowledging the mistake and the refund too,” xinhui5 said on the site.

“I know, stuff happens! Can we get a free Guinness bar towel to go with our certificates? I would love one!” enterprising Redditor kimwim42 asked cheekily. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/05/guinness_world_records_email_leak/

File sharers who download torrents from services such as The Pirate Bay can expect to find their IP address logged by copyright enforcers within three hours, according to a new study by computer scientists.

Researchers at the UK’s University of Birmingham reached the finding at the end of a two-year study into how organisations are monitoring illegal file sharers.

They conclude that large scale monitoring of the most popular illegal downloads from The Pirate Bay has been taking place over the last three years. On average an illegal file sharer, using BitTorrent to download the most popular content, will be picked up and logged within three hours of starting a download. Downloads of more popular files tend to be picked up more quickly, as the paper explains.

Average time before monitors connect: 40% of the monitors that communicated with our clients made their initial connection within 3 hours of the client joining the swarm; the slowest monitor took 33 hours to make its first connection. The average time decreases for torrents appearing higher in the Top 100, implying that enforcement agencies allocate resources according to the popularity of the content they monitor.

“The monitors we detected don’t actually collect any parts of the file from the alleged uploader, therefore the evidence of illegal file sharing collected by monitors may not stand up in court,” Tom Chothia, one of the four researchers along with Marco Cova, Chris Novakovic and Camilo Gonzalez Toro, told El Reg

.

“We found six very large scale monitors, however all of them where using third-party hosting companies. Therefore we can’t be sure who they really were, or if they where monitoring for legal or for marketing purposes. We also found a further seven small scale monitors that included some security companies, hosting companies and a research lab,” Chothia added.

Copyright holders carry out monitoring on file-sharing networks using two approaches: indirect monitoring, where the presence in of an IP address in a peer list of a tracker is logged, or direct monitoring, where attempts are made to download files from IP address listed in Torrent swarms are actually listed. The Birmingham researchers found that direct monitoring is happening but that indirect monitoring remains by far the most common technique applied by copyright enforcers.

A technical paper, The Unbearable Lightness of Monitoring: Direct Monitoring in BitTorrent, describing the Birmingham team’s research can be found here (PDF).

The paper, more aimed at anti-piracy officers at ISPs and copyright enforcers than end-users, was presented at the SecureComm conference in Padua, Italy yesterday. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/05/p2p_copyright_enforcement_study/

Popcorn time: Hot on the heels of AntiSec’s claim that the purloined Apple device IDs it dumped to Pastebin came from the FBI, the G-men have flatly denied the story.

In a statement e-mailed to the press, the FBI says simply:

The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.

On Twitter, the FBI was even more blunt:

Statement soon on reports that one of our laptops with personal info was hacked. We never had info in question. Bottom Line: TOTALLY FALSE

Of course, tinfoil-hatters will remind the world “they would say that, wouldn’t they?”, but it’s now over to AntiSec to back its claim.

Meanwhile, trawling the database of UDIDs, Cultofmac is making the extraordinary and probably unprovable claim that President Obama’s UDID is among those on the list leaked by AntiSec.

That claim comes from a PasteHTML search on the UDIDs (which page, by the way, allows anyone to check if their UDID was leaked). Exactly how the search conclusively ties the named device to the Leader of the Free World isn’t exactly clear to El Reg. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/04/feds_deny_antisec_claims/