STE WILLIAMS

The Australian Privacy Commission has followed the lead of its global counterparts demanding that Google Australia immediately destroys payload data which was siphoned by the SteetView wi-fi data sucking car squads.

In a letter sent to Google’s Head of Public Policy and Government Affairs Iarla Flynn, Privacy Commissioner Timothy Pilgrim sent a strict edict that Google should immediately destroy the data additionally demanding that an independent third party confirm that the data has been destroyed.

Pilgram has also requested that Google commits to an audit to ensure “that no other disks containing this data exist, and to advise me once this audit is completed.”

Google’s Australian PR team has told El Reg “Of course, we’ll continue working closely with the Privacy Commissioner on this issue.”.

The matter has re-emerged following the revelations that Google was harbouring additional Street View data, after Google had advised that the original data was destroyed back in March 2011.

Google Australia notified the Office of the Australian Information Commissioner (OAIC) on July 27 that Google has identified more payload data collected by Google’s Street View vehicles in Australia. In the last few weeks around 11 data protection authorities in Europe had received confession from Google explaining that it still had random Street View data on its servers.

Last week Google’s French digs came under fire from France’s Commission Nationale de l’Informatique et des Libertés (CNIL), which requested that they surrender the Street View payload data . Last month, Google UK confessed it still had “in its possession a small portion of payload data collected by our Street View vehicles in the UK”.

Meanwhile the Australian Privacy Commission has also announced that it has opened an official investigation onto the Anonymous data hacks against AAPT and Melbourne IT .®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/08/google_must_destroy_data/

Anonymous’ theft of data from a dormant AAPT server might not have been possible had the telco used a different host.

AAPT has said the Cold Fusion server Anonymous accessed was, essentially, forgotten. In its un-patched state it was therefore easy meat.

One question the Anonymous incident therefore raises is just why the server was there at all. El Reg suspects that’s been asked rather tersely within the halls of AAPT, and expects that the IT department there has probably not admitted that servers get lost all the time.

If you doubt that’s a fact, consider the evergreen market for network discovery tools that scour a network and report back with a list of every piece of attached kit. Consider, too, the phenomenon of virtual machine sprawl, which raises its head when IT departments summon oodles of virtual machines into existence and then forget them.

Lost servers on a LAN aren’t a big deal. But the Anonymous/AAPT incident shows hosted servers rather raise the stakes.

Which is why we decided to ask several hosting and cloud providers what they do when they see an orphaned server. Telstra, Optus and AWS have not responded to those queries.

But Melbourne IT, where AAPT’s server resided, has, explaining its stance as follows:

In Melbourne IT’s hosting environment there are either active servers or decommissioned servers.  Customers use their servers for different purposes, whether they be production environments, testing environments or disaster recovery services.  Some servers could be kept on standby by customers for business continuity or for changing project demands; others exist for regulatory compliance where data needs to be stored for a certain number of years.   How customers decide to use their servers can change from month to month or year to year.  How often the content on those servers is updated, or what content is stored on those servers, is at the customer’s discretion.  Given such a wide range of usage by our customers, the concept of a ‘dormant server’ does not exist.   Therefore all active servers are treated as active unless we have received notice from the customer to decommission the service (or Melbourne IT decommissions the server due to a breach of contract by the customer).  Decommissioned servers are removed from the active server pool and the data is erased.

In other words, if you forget about a server hosted at Melbourne IT and keep paying for it, the company will run it forever.

That’s a contrast to the policy at Macquarie Telecom’s public cloud outfit Ninefold, where Chairman and Co-Founder Peter James told us a rather different regime operates.

“If no activity has taken place for three calendar months, we contact the customer prior to the third month to indicate there has been no activity and that account closure is pending,” he wrote. “ Then, at the customer’s request, their account is open or closed.”

Given the near-inevitability of the occasional absent-minded server loss, it therefore seems that being a customer of an outfit with a policy like Ninefold’s is probably preferable to working with the kind of policies in place at Melbourne IT. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/07/how_anonymous_hacked_aapt/

A painful £175,000 fine has been slapped on a health trust in Torquay, Devon, after it published sensitive details of nearly 1,400 employees on its website.

The Information Commissioner’s Office issued the penalty, following the embarrassing incident that took place in April 2011.

A spreadsheet containing the information was mistakenly published by staff at Torbay Care Trust for 19 weeks before a member of the public alerted it of the data protection cockup.

“The data covered the equality and diversity responses of 1,373 staff and included individuals’ names, dates of birth and National Insurance numbers, along with sensitive information about the person’s religion and sexuality,” the ICO said.

The data watchdog noted that the trust had no safeguards in place to prevent such information being published online. It said staff hadn’t been offered any guidance on handling such information and added that there were inadequate checks in place to spot potential problems.

ICO head of enforcement Stephen Eckersley said:

We regular [sic] speak with organisations across the health service to remind them of the need to look after people’s data. The fact that this breach was caused by Torbay Care Trust publishing sensitive information about their staff is extremely troubling and was entirely avoidable. Not only were they giving sensitive information out about their employees but they were also leaving them exposed to the threat of identity fraud.

The ICO added that the trust had now introduced a web management policy to prevent such data protection cockups in the future. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/07/ico_fines_devon_health_trust/

A painful £175,000 fine has been slapped on a health trust in Torquay, Devon, after it published sensitive details of nearly 1,400 employees on its website.

The Information Commissioner’s Office issued the penalty, following the embarrassing incident that took place in April 2011.

A spreadsheet containing the information was mistakenly published by staff at Torbay Care Trust for 19 weeks before a member of the public alerted it of the data protection cockup.

“The data covered the equality and diversity responses of 1,373 staff and included individuals’ names, dates of birth and National Insurance numbers, along with sensitive information about the person’s religion and sexuality,” the ICO said.

The data watchdog noted that the trust had no safeguards in place to prevent such information being published online. It said staff hadn’t been offered any guidance on handling such information and added that there were inadequate checks in place to spot potential problems.

ICO head of enforcement Stephen Eckersley said:

We regular [sic] speak with organisations across the health service to remind them of the need to look after people’s data. The fact that this breach was caused by Torbay Care Trust publishing sensitive information about their staff is extremely troubling and was entirely avoidable. Not only were they giving sensitive information out about their employees but they were also leaving them exposed to the threat of identity fraud.

The ICO added that the trust had now introduced a web management policy to prevent such data protection cockups in the future. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/07/ico_fines_devon_health_trust/

Hong Kong police have arrested a 21-year-old man after he apparently bragged on Facebook of his intent to disrupt several government web sites.

Local cops are not releasing much information except to say that the man was arrested last Friday and later released on bail, with an order to report back in October.

He was cuffed after threatening to launch DDoS attacks against seven government sites.

Section 161 of the Crimes Ordinance states it is an offence “to obtain access to a computer with an intent to commit an offence”, and if found guilty the perpetrator could face up to five years in the slammer.

Although police were tight-lipped, local media reports said the man claims to be part of the local chapter of hacktivist group Anonymous.

“Many protesters are resorting to hacking because normal demonstrations are hampered by public order laws and the police,” he told the South China Morning Post.

One would usually expect an accompanying blaze of publicity via social media channels if this were the case, but the group’s @AnonymousAHK Twitter feed has not been updated since 28 April and its Facebook page has little in the way of the usual provocative messages.

In fact, Anonymous activity in the China region has been virtually non-existent since the group claimed the scalps of hundreds of government and business web sites back in April.

For Hong Kong businesses and government institutions the bigger threat at the moment is the more traditional one of financially-motivated cyber criminals looking either to steal valuable IP or blackmail firms with the threat of DDoS attacks.

Last month, Chinese police busted one such gang, which had targeted gold, silver and securities traders in Hong Kong. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/07/facebook_anonymous_suspect_ddos_hong_kong/

The French government is counting the cost of having copyright enforcement shifted from the corporate to the public sector – and it’s not pleased at what it sees.

Hadopi, the body charged with hunting down freetards under France’s three-strikes law, has sent a million warning e-mails and 99,000 registered letters. This seemingly-impressive pursuit of Internet evildoers has, however, resulted in a scant 134 cases being examined for prosecution – and so far, zero cases have been escalated to the point where an Internet user has been disconnected.

At a reported cost of 12 million Euros, which overs a payroll that inculdes 60 agents, the whole exercise has been described as “unwieldy, uneconomic and ultimately ineffective” and a failure by the French culture minister Aurélie Filippetti. It would appear that the agency is now standing on the trap-door in the minister’s office, waiting for someone to pull the lever.

Filippetti told Le Nouvel Observateur (Google translation here) that Hadopi had also failed in a key part of its mission, to foster legal content to replace illegal downloads.

The French government has now launched a consultation to re-examine Internet piracy. In the Le Nouvel Observateur interview, Filippetti expressed a strong intention to cut Hadopi’s appropriations, and talked of a post-Hadopi future.

In a separate interview, Pierre Lescure – head of the commission into the “Future of Piracy” – has endorsed Filippetti’s stance, saying he attaches “great importance” to the development of legal offers, and that the temptations to piracy are so great only a priest would not yield.

“The error of Hadopi was to focus on the penalty”, he told Le Nouvel Observateur. “If one starts from the penalty, it will fail”, he said, adding that the sanction of disconnection is, for now, unenforceable. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/06/hadopi_under_fire/

Chinese web giant Baidu has been forced to sack four employees, three of whom were arrested by local police on suspicion of accepting bribes in return for deleting user-generated posts on one of the firm’s sites.

Baidu PR officer Li Guoxun told Global Times that police got involved in the case due to the large sums of money involved – potentially running into the tens of thousands of yuan.

“Baidu has fired the four. If we discover such cases, we will severely punish staff,” said Li. “Baidu will close the loopholes by strengthening management to maintain order in our communication platform.”

The three employees, surnamed Lu, Xu and Sun, were arrested by officers from the Beijing Public Security Bureau in July for colluding with external third parties to remove the content.

The fourth employee involved, surnamed Guo, was apparently found out before he had a chance to complete the deal.

Reports didn’t specify exactly what content was targeted by the four rogue members of staff and The Reg was still waiting to hear back from Baidu for confirmation at the time of writing.

It’s worth noting that professional post deletion companies have snowballed in China in recent years, offering their services to any PR and marketing companies keen to erase negative online content about their clients.

Such firms obviously rely on having a network of insiders at the web companies which host such user-generated content.

Prices can start off in the low hundreds of yuan for deletion of single posts and go all the way up to hundreds of thousands for an annual subscription.

Although Baidu has sought to nip this one in the bud by quickly purging itself of the allegedly responsible employees, it must be remembered that the firm is already complicit in far more extensive censorship of online content, by agreeing to government demands over what can and can’t be accessed via its services. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/06/baidu_staff_sacked_arrested_deleting_posts/

Call it a “psy-ops” attack, if you like: Reuters has suffered the embarrassment of having two platforms infiltrated and used to spread propaganda messages supporting the Syrian regime.

The newswire’s woes began on Friday, August 3, when attackers gained access to its blogging platform and posted false stories claiming attributed to Reuters journalists. This included a post claiming to be an interview with Free Syrian Army (FSA) head Riad al-Assad foreshadowing a pull-out from northern Aleppo.

After Reuters took the blogging platform offline, the attackers directed their attention to a Twitter account operated by the agency, changing @ReutersTECH to @ReutersME and slotting in propagandistic and absurd posts (screenshot from @worldwidenieuws).

This included the improbable claim that the US intended to punish Egypt for a demonstration at which protesters chanted “Monica” at Hilary Clinton, claims that America never stopped funding Al Qaeda, and (predictably enough) alleged reports of heavy FSA losses in Aleppo.

The Twitter hijacker’s parting shot drew in Zionist propaganda, stating that Reuters was planning a shareholders’ meeting to investigate “Rothschild’s ‘iron grip’ over decision-making process”.

As Christian Science Monitor notes, such “ham-handed” propaganda probably doesn’t have much impact (Indeed, in El Reg’s experience, it’s easier and more effective to punk newswires with urban myths, but that’s another story). ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/05/reuters_hacked/

The $356m purchase of AuthenTec by Apple has not been universally welcomed. Not only are analysts and potential rivals trying to piece together the logic of the deal, but investors and, more importantly, class actions lawyers, are trying to work out if the 60 per cent trading premium that the deal is set at, was sufficiently high.

There is a thought out there that since AuthenTec had just concluded a deal with Samsung, its directors had the fiduciary duty when approached by Apple to at least ask Samsung if it wanted to counter-bid. We cannot go along with that thinking. When a board is approached with an outstanding offer compared with its current share value, it has every right to take the money and commit the company to a merger. However what these complaints might make possible is the extension of the time period over which the deal will move to completion, and that MAY give AuthenTec time to at least talk to Samsung.

Of course the whole point of agreeing cancellation fees (there are two way cancellation fees in here valued at $20m from Apple and $10.95m the other way) is so that the target company cannot go and talk to someone else and ramp the price, and so that the buyer cannot walk away, having shown an acceptable bid valuation to the world.

Since AuthenTec is a company that only has $18m in the bank, it had better have a very good reason to change its mind and fail to sell to Apple, and lose that cash. And anyway it has a customary “no-shop” restriction placed on its ability to solicit alternative proposals from third parties or to enter any kind of discussion. This has to be subject to some exceptions, such as when another company approaches it, it must have something to say.

But we expect that whatever comes of these legal moves, the deal is more or less done and Apple will get the spoils, even if anyone gets shareholders a little more cash. So why does it want AuthenTec? Most analysts in this area cannot see the wood for the trees. The first thing they do is look up what this company does. The bulk of its revenues comes from fingerprint recognition systems and it has genuine IPR here. It is a decent market leader in this nascent field, and most people assume that Apple will use this technology for one of two things, to secure iOS devices on a fingerprint, for either enterprise apps or to introduce it for mobile payments.

The myth of fingerprints

We tend to think this is pie in the sky. You cannot dominate the global banking community and introduce authentication technology which they have yet to approve of, no matter how ground breaking. Apple already has patents on accessing devices using unique gestures and these have already all been copied by rivals.

On the enterprise front there may be applications where this could be used, but to put this in perspective, right now AuthenTec has only quarterly revenues just over $10bn in fingerprint recognition. These revenues are going down, or are at best flat, and the company has recently reduced its RD in this area marginally. So what else could Apple be after?

Well there are two other security businesses that AuthenTec is present in, using software protection for DRM systems, so that you can have an (arguably) secure downloadable DRM, and a silicon based embedded execution area for encryption – a set of cores that can be used to securely process decryption on-chip, which any security software layer could benefit from. Samsung has recently taken this to underpin a VPN, but it might just as easily be used to underpin a DRM system for video delivery.

HD video on tablet

Now one of the debates that has been raging around the most recently launched iPad is the ability of its screen to handle HD video content. Hollywood has vacillated between banning premium HD video from portable devices and allowing it. The best solution has seemed to be to downgrade the resolution on this video for tablets. Many content owners allow video which is premium paid video, such as pay TV, to be delivered over IP in parallel with its TV delivery, to tablets, but at a lower resolution, while some ban it altogether.

But blocking HD content to a tablet is a lottery – your rival may get many more viewers by NOT banning it, because tablets of all types are taking off. The problem has been the software only nature of the security and only two solutions have emerged which really offer any comfort at all, one from Arxan, which AuthenTec uses, and one from Irdeto called Active Cloak for Media, and both use a form of white box encryption, as well as object code obfuscation and multiple frequent authentications between system components.

These two systems are dominant but slightly different, and regardless what both companies say about how secure they are, they are not secure enough to entrust Premium paid HD content to, where it has not yet been widely pirated. One security analyst told us that if smart cards were a 9 out of 10 in security terms, these software only systems were a two and a half.

The most secure approach is putting a secure set of decryption processing cores – complete with a hardware enforced firewall and separate processing elements for decrypting keys, on the processing chip. The problem here is that although AuthenTec offers its DRM Fusion product as a secure software only, downloadable DRM, the underlying security technology belongs to Arxan, and so it has no real IPR to offer Apple, which is what leads us to believe that this is not the reason for Apple‘s interest.

AuthenTec has made a number of strides here and signed some new customers recently, but while many of the App Store video apps are based on either the Arxan or AuthenTec implementations, Apple should have been buying Arxan if it wanted to control this process. This brings us to AuthenTec‘s third security business, based on its SafeXcel IP chip cores. AuthenTec acquired this technology from SafeNet two years ago along with its DRM Fusion product and since it did so it has been investing more RD in this than any other part of its product portfolio, doubling it each year so far.

Next page: Luring in the devs

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/04/apple_buys_authentec/

A series of slides leaked online reveal information about Microsoft’s new OEM Activation process for Windows 8, which is designed to make it more difficult to activate illegal copies of Redmond’s latest OS.

OEM Activation (OA) allows PC manufacturers to ship systems with Windows preinstalled and already activated, so that customers don’t need to take any additional steps to activate the OS when they first use a new computer.

In the past, hackers have managed to take advantage of the OA process to activate purloined copies of Windows, which ordinarily need to be activated with a license key. Rogue OEMs have also used similar systems to avoid paying tribute to Redmond.

The slides, which appear to be taken from Microsoft training materials, outline the differences between OA 3.0, which will debut with Windows 8, and earlier versions.

If the slides are authentic, under OA 3.0, manufacturers will be required to write a unique Windows product key into the BIOS of each new PC, keyed to that particular computer’s hardware. In the past, OEMs used the same product key for every PC they shipped.

Looks simple enough.

The vendors will also now obtain their product keys directly from Microsoft via electronic delivery, and each new PC will come with a “Genuine Microsoft” sticker affixed, rather than the earlier Windows Certificate of Authenticity.

Factories will also be required to file production reports to Microsoft detailing their license compliance.

For now, OA 3.0 will only apply to new PCs running the Windows 8 client OS. Other versions, including Windows Server 2012 and Windows Embedded, will not use the new method – at least initially – and Windows 7 and earlier will continue to use the older OEM Activation method.

Microsoft declined to comment. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/03/windows_oem_activation_30/