STE WILLIAMS

Yahoo! has fixed the flaw that allowed hackers to scrape the unencrypted passwords of over 450,000 of its customers’ accounts.

“We have taken swift action and have now fixed this vulnerability, deployed additional security measures for affected Yahoo! users, enhanced our underlying security controls and are in the process of notifying affected users,” Yahoo! said in a statement. “In addition, we will continue to take significant measures to protect our users and their data.”

The company said the information that was published by members of the hacking group D33Ds Company stemmed from users who had signed up with the Associated Content site before Yahoo! bought it 2010.

If these users try and log into their Yahoo! accounts now they will be asked a series of authentication questions before having to change their data, and Yahoo! is also suggesting other users get into the habit of changing their passwords regularly.

The D33Ds Company hackers claimed that they broke into the corporate database via a simple SQL injection attack, and Yahoo! says that hole is now fixed and additional security procedures have been implemented. One would hope that includes adding password encryption to avoid a similarly embarrassing situation in the future. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/13/yahoo_fixes_password_hole/

Graphics processor biz NVIDIA has contacted users of its discussion forums and Developer Zone to warn that its servers have been hacked.

The message boards hosted at forums.nvidia.com and the programming resource developer.nvidia.com were breached last week. Data lifted from the compromised systems included account passwords although they were properly salted and stored as a one-way encrypted hash.

As soon as the chip designer became aware of the attack it shut them down, and started trying to work out what went wrong. NVIDIA is still trying to do that, but mailed users (including a brace of El Reg readers) to let them know their data has been compromised.

That information includes usernames and email addresses, along with the per-user “About Me” profile page details which are public-facing anyway.

The passwords were salted with random numbers so should remain secure against most brute-force attacks. Punters who have adopted the one-passphrase-for-everything approach are advised to run around changing all their logins anyway.

NVIDIA said that once the forums are purged of badness, it will send out new passwords to everyone, via their registered email addresses, and will post a public message on the status page when that’s completed.

Any email that appears to have been sent by NVIDIA requesting “personal, financial or sensitive information” should be ignored, the company warned in an attempt to nip opportunistic phishing attempts in the bud. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/13/nvidia_hack/

An EMC Hopkinton HQ admin assistant has been charged with stealing $220,000 from the storage and virtualisation vendor, the District Attorney for the Middlesex District of Massachusetts has confirmed. She denies any wrongdoing.

Madeline Vinton, 35, of Webster, Massachusetts, had been an admin assistant at EMC from April 2006 to February 2012, the firm told police.

According to the DA, EMC investigators alleged they had detected unusual patterns in her travel and other expenses. They called in the cops and together with the local DA’s office, they investigated further before charging her with five counts of larceny.

The money was allegedly spent on plastic surgery, limousine hire, Boston Celtics games, hotel stays and meals. The woman was also accused by EMC investigators of claiming more than $48,000 for overtime which she allegedly had not performed. EMC fired her in February.

She was arraigned in the Middlesex Superior Court on 11 July, where she pleaded not guilty, and bailed for $7,500 plus a surrender of her passport, the DA confirmed. Her next court appearance is on 29 August. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/13/emc_embezzler/

The FBI has opened a criminal investigation into allegations that Chinese telecoms kit maker ZTE flouted United States laws by selling technology from US firms to Iran and then deliberately covering its tracks once the media caught wind.

The Smoking Gun claims to have obtained a top secret FBI affidavit which reveals that senior officials at the firm were “engaged in an on-going attempt to corruptly obstruct and impede” a Department of Commerce investigation.

The story first broke when Reuters reported in March that ZTE had sold its ZXMT phone monitoring product to the state-run Telecommunication Co. of Iran (TCI) in 2010 as part of a €98.6m (£82.4m) deal for networking equipment.

The more damning allegations, however, centred around a 900-page ‘packing list’ of products sold to TCI which included AV software, switches and monitors, some of which were made by US companies like Microsoft, HP and Symantec and therefore subject to the country’s strict trade embargo with Iran.

In a statement at the time, ZTE said it “always respects and complies with international and local laws wherever it operates”, and claimed it had restricted its business practices in Iran since 2011, but didn’t comment on allegations of breaking US law.

The main revelations in the affidavit come from Ashley Yablon, an attorney with ZTE’s US subsidiary.

He apparently told the FBI that at one key meeting to decide ZTE’s response to the reports, a group of senior officials “huddled together in the corner of the room” discussing shredding documents and changing the incriminating packing list.

According to TSG, Yablon has handed over the files on his work laptop to the FBI.

These files, he says, detail how ZTE established subsidiary companies or other affiliates to “facilitate the corporation’s purchase of US-made telecommunications components for inclusion intended to be shipped or exported to countries subject to US embargo”.

The Shenzhen-based company told The Reg today it had no comment on the breaking allegations. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/13/zte_iran_tech_us_fbi_investigation/

The use of exploit kits is allowing phishing fraudsters to develop scams that only rely on tricking prospective marks into clicking a link, rather than submitting all their details to a bogus website.

Many recent phishing runs spotted by Trend Micro have made use of the notorious Blackhole Exploit kit. The hacker favourite is used to automate the process of mounting drive-by-download style attacks from compromised (often legitimate) websites. Blackhole preys on browser exploits, Adobe software bugs and most recently the latest Java vulnerabilities, a particular successful strategy since third-party software frequently goes without updates.

By using the exploit kit in phishing emails, cybercrooks move away from the tricky process of coaxing marks into submitting data to bogus websites, traditionally pulled off using a bogus security alert from their bank as a lure, to simply tricking users to open an email and click a link.

The shift means that the subject matter and tone of phishing emails is changing. In addition, the traditional security advice about phishing emails is becoming out-dated, Trend warns.

Phishing messages of yesterday typically screamed “security alert”, while modern messages are more subtle and feature subject lines such as “Your statement is available online”, “Incoming payment received” and “Password reset notification”.

“In many cases these messages are identical to the legitimate messages sent by the legitimate organisation,” Trend Micro warns. “Sometimes, the only difference between the legitimate version of the email and the phished version is the bad link”.

The use of banking Trojans, spread using exploits and vulnerabilities, such as ZeuS and Cridex has been going on for years. Banking trojans developed using cybercrime toolkits look for activity such as logins to financial websites. As well as appearing on compromised legitimate website surfers are getting exposed to exploit toolkits via their in-boxes, thanks to a shift in tactics by e-banking fraudsters.

Trend’s research, published on Thursday, documents changing tactics for spreading banking trojans as well as explaining how standard anti-phishing advice is no longer valid, a factor that make its white-paper Blackhole Exploit Kit: A Spam Campaign, Not a Series of Individual Spam Runs (PDF) worth reviewing.

Trend looked at more than 200 separate spam runs featuring in excess of 40 organisations during Q2 2012. The spam campaigns claim to be from legitimate companies such as Intuit, LinkedIn, the US Postal Service (USPS), US Airways, Facebook, and PayPal, among others. Compromised sites were used and reused from one attack to another. Exploit methods were the same and the botnet networks used in many cases were also similar. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/13/exploit_kits_trickier_phishing_scams/

OK, so nobody uses cheques any more: as a result, fraud based on the venerable paper slip with a signature is now well-and-truly eclipsed by online credit card fraud, according to the Australian Payments Clearing Association.

The APCA has released its latest survey of payment fraud, in which it reports that “card not present” (CNP – online, via phone or mail) fraud is the dominant rip-off, now representing 96 cents in every $AU1,000 worth of transactions, compared to just 0.7 cents per $AU1,000 for cheque fraud.

CNP fraud now represents 71 percent of total fraud committed against Australian-issued cards, and – in a challenge for law enforcement – more than half of that fraud is committed offshore, the association says.

Australia seems to be getting better at tackling card skimming, however, with point-of-sale (POS) and ATM fraud falling by nearly 38 percent, from 7.9 cents per $AU1,000 of transactions to 4.9 cents. Debit card fraud in the same category fell by nearly half, from 2.5 cents to 1.3 cents per $AU1,000, reflecting the growing popularity of chip cards in Australia.

The APCA report states that the total value of fraudulent card-not-present transactions passed $AU278 million in Australia by December 2011, a rise of more than 51 percent.

Fraudulent transactions remain, however, a relatively small proportion of the total of total business. The million-plus fraudulent CNP transactions recorded by the APCA represented just 0.0517 percent of total transactions in 2011. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/12/online_fraud_grows_in_oz/

British Airways (BA) may not need passengers’ consent in order to identify them using images available on the internet, an expert has said.

Data protection law specialist Danielle van der Merwe of Pinsent Masons (the law firm behind Out-Law.com), said that the company could argue that it is in its legitimate interests to process online images of passengers that have booked with them.

Last week BA announced plans to engage in more personalised interaction with customers through its ‘Know Me’ customer service programme. Staff at the airline will use iPads and a special ‘app’ to search Google Images for a photo of individual passengers to enable them to recognise and greet them at airports. Other information, such as whether passengers have experienced delays on previous flights, will also be available to crew via the devices, according to media reports.

Nick Pickles of privacy watchdog Big Brother Watch said that BA needs passengers’ consent to justify them processing their online images, according to a report by London’s Evening Standard. However, Van der Merwe said there may be other ways in which the company could justify its activity as being compliant with data protection laws.

“There are a number of routes available under the Data Protection Act that one can take in order to justify the arrangement under the Act, the most appropriate of those would be to notify passengers about the possible processing and asking them for their consent at the time they book a flight,” she said. “This can be achieved in the company’s terms and conditions which are brought to the attention of a passenger when booking a flight. However, consent can always be withdrawn at a later stage by a passenger and the company needs to have procedures in place to deal with an opt-out by those individuals.

“There are, however, other routes available to BA under the Data Protection Act other than through gaining the passenger’s consent. BA could argue that the processing is in its legitimate interests because it wants to offer the best experience to its customers possible,” Van der Merwe added.

Under the Data Protection Act (DPA), personal data must be processed fairly and lawfully and for specific, explicit and legitimate purposes only.

Organisations must meet at least one of the “legitimising conditions” under the DPA in order to process an individuals’ personal data, such as having obtained individuals’ consent to do so. Other lawful grounds for processing that do not require consent include where it is necessary for the performance of a contract, necessary in order to protect the “vital interests of the data subject” or where it is necessary “for the administration of justice”.

Van der Merwe said that while BA could rely on consent where it had been given, it was unlikely that it could justify its Google Image checks on the other lawful grounds listed, other than if it could claim the processing was in its ‘legitimate interests’ and not overridden by the rights of passengers.

Under the DPA, organisations can process personal data if it is “necessary for the purposes of the legitimate interests” they are pursuing, as long as that processing is not “unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.”

The subjective nature of that provision means BA should hold documentary evidence of its consideration of data protection matters in order to justify its processing activities if required to do so, Van der Merwe added.

“Companies need to be able to show that they are taking the privacy of their customers’ personal data seriously and that data protection is something that is considered before a company engages in an activity involving their customers’ personal data” she said. “Companies unable to do so are more likely to face enforcement action from the Information Commissioner.”

A BA spokesman said that the company complies with the DPA and that it aims to “send 4,500 personal recognition messages a day by the end of the year,” according to the Evening Standard report.

“We are entirely compliant with the UK Data Protection Act and would never breach that,” the spokesman said. “Know Me is simply another tool to enable us to offer good customer service, similar to the recognition that high street loyalty scheme members expect. The Google Images search app helps our customer service team to recognise high profile travellers such as captains of industry who would be using our First class facilities enabling us to give a more personalised service.”

BA: They love a bit of it

Jo Boswell, head of customer analysis at BA, said the personalisation programme was just at the “start” and that it had a “myriad of possibilities for the future.” However, Van der Merwe said that it may be harder for the company to justify more intrusive processing activities without passenger consent.

“While some passengers may be delighted at being addressed on personal terms after airline staff have cross-referenced them with available images online, others may be uncomfortable with the idea and consider that their privacy has been invaded and take real offence,” she said. “BA could argue that this activity is within their legitimate interests as they are offering customers a better service and therefore making their airline more popular with customers.

“BA would be less likely to be able to justify further personalising its customer service by checking other personal data online, such as that which is available on social network sites. For example, it is likely that the company would need the consent of passengers to look at their activities on Facebook or LinkedIn etc for the purposes of proactively engaging those individuals in conversation about their social or professional interests” van der Merwe said.

Out-Law.com asked BA to explain its future plans for delivering more personalised customer service but the company did not respond to our queries.

The UK’s data protection watchdog, the Information Commissioner’s Office (ICO), said that BA, among other requirements under the DPA, must make sure that “passengers’ information is stored securely and is not kept for longer than is necessary.” It added that “looking after individuals’ data correctly” was not just a legal requirement but that it “plays an important role in maintaining consumer confidence.”

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/12/british_airways_know_me_programme_probably_kosher/

A computer error has been blamed after countless foreign residents in Japan received new ID cards this week without the key addition of an electronic signature designed to prevent counterfeiting.

The Immigration Bureau began issuing the new zairyu cards for the first time on Monday but soon realised that a technical malfunction meant the justice minister’s signature had not been included, according to the Japan Times.

The error still hadn’t been fixed by Tuesday, so immigration offices across the country continued to issue the cards without the signature, after bosses apparently said they would still be valid.

“Counterfeiting the cards is extremely difficult even without the signature,” an Immigration Bureau spokeswoman told the paper.

The government must now decide whether it goes to the trouble and expense of issuing replacements for those who have the signature-less cards or if it is happy with the level of security they already provide.

Ironically, the zairyu cards were introduced as part of changes to the country’s strict immigration laws designed to reduce the administrative burden on local authorities by centralising all application and processing.

This week’s IT error is unlikely to create a huge counterfeiting problem in Japan – the cards already include IC chips, for example – but will be an embarrassment for the authorities.

For many, however, the bigger problem is the government’s stubborn refusal to consider loosening immigration controls in order to help an enfeebled economy saddled with a shrinking population. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/12/japan_immigration_residence_cards_glitch/

A Yahoo! service has apparently succumbed to a simple database attack that leaked 453,000 unencrypted account passwords online.

A huge document containing the lifted SQL structures, software variables, usernames and cleartext passwords was linked to from a web forum. In the file, the hackers described the break-in as “a wake-up call and not a threat”.

The data dump included the hostname dbb1.ac.bf1.yahoo.com, which is associated with the blog-like service Yahoo! Voices, TrustedSec reports – although there was some confusion over whether the hacked service was in fact the internet telephone call app Yahoo! Voice.

The compromise was all too typical: a union-based SQL injection attack that tricked the website into handing over more information that it really should, Ars Technica reports. A hacking crew called the D33Ds Company claimed responsibility for the assault.

Security firm Eset has carried out a preliminary statistical analysis of the leaked credentials here. A disappointing – but not surprising – number of the exposed passwords included, er, “password”, “welcome”, “Jesus” and “ninja”.

It’s unclear why Yahoo! Voices was storing unencrypted passwords in its backend database – unsalted one-way encrypted hashes would have been bad enough. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/12/yahoo_voice_password_flap/

A just-patched vulnerability in Instagram potentially exposed hipsters’ private photos and more to strangers.

A bug in the popular photo touch-up utility, acquired by Facebook in April for $1bn, allowed malicious users to add themselves as “friends” to individual accounts without permission and view snaps marked as private.

In a security advisory, Instagram said the “Following Bug” has been fixed.

It denied that private photos were even exposed, an assurance that conflicts with claims in a blog post by Sebastián Guerrero, the Spanish security researcher who discovered the flaw in the first place. An English language security advisory related to Guerrero’s research can be found here.

Guerrero warned that photos and private information were exposed by the bug, which stems from the ability to guess and forge approved requests to follow, or befriend a user, using a brute-force attack. Both Android and iPhone versions of Instagram were affected by the vulnerability.

The security researcher illustrated the vulnerability by adding himself to the select group of people followed by Facebook head honcho Mark Zuckerberg. Guerrero then sent the social networking mogul a message congratulating him on buying Instagram and asking for some sort of reward under Facebook’s bug bounty programme.

Commentary on how the vulnerability worked and what it might mean for Facebook can be found in a blog post by Stephen Cobb of web security firm Eset here. Facebook is subject to settlement with US consumer watchdog the FTC, which imposed audits for the next 20 years as a result of the social networking’s dodgy record on protecting punters’ privacy.

The web goliath got into trouble for “deceiving consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public”. Although accidental the privacy bug at Instagram might at least merit a few awkward question towards Facebook from FTC enforcers, Eset notes. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/12/instagram_privacy_flaw/