STE WILLIAMS

An alleged software counterfeiter from India faces possible US extradition.

Nikhil Kablekar, 29, a resident in the Mumbai suburb of Andheri, was arrested by Indian police Wednesday afternoon over alleged hacking and copyright violation offences. Computers, CDs, USB sticks and other evidence was seized from his home by Mumbai police – who were acting on a request from the US Southern District Court, New York.

It’s unclear if US authorities will seek Kablekar’s extradition or whether an FBI team will travel to Mumbai to question him over his alleged offences. Kablekar allegedly used hacking techniques to defeat copyright protection measures on software titles before creating counterfeit CDs, which he then re-sold.

The case prompted an FBI investigation that led to a March 2010 indictment against Kablekar. Details of what software titles were targeted or the supposed value of the fraud are yet to emerge.

If Kablekar is deported it will become the first such case in in decade, The Times of India reports. Kablekar is due to appear at a court in Delhi later today. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/12/indian_software_counterfeit_suspect_us_extradition_threat/

Tory backbencher David Davis has described the government’s draft communications surveillance law as an “odious shopping list” of new powers demanded by the Home Office.

He told MPs and peers at a joint select committee hearing on Wednesday afternoon that UK spooks were “looking for a pin” but instead “creating a field of haystacks” by pushing through the proposals.

His comments came a day after senior officials told the committee that the Communications Data Bill, if approved by Parliament, will require the recording and storing of citizens’ web activities in black boxes funded by taxpayers.

Tuesday’s hearing focussed on the security services and other authorities arguing that companies which provide communications services should be able to legally retain more information on Brits to help, for example, the police crack murder cases.

Davis, however, expressed concerns about the evidence put forward by Charles Farr, who heads up the Office for Security and Counter-Terrorism, and others during that confab.

The MP also questioned the Home Office’s extensive “shopping list” of “odious” reasons for needing access to retained data; the security arrangements for protecting the black boxes and their sensitive contents; how the technology will work; and who will access the records.

Davis was joined on the panel by privacy activists Nick Pickles of Big Brother Watch, Gus Hosein of Privacy International and Jim Killock of Open Rights Group, all of whom broadly agreed that a court-issued warrant-backed system would be more appropriate than the proposed warrantless web snooping.

Hosein raised a key point about Home Secretary Theresa May’s proposals* by saying that up to now communications surveillance in the UK had always been about regulating access to telephone and web logs.

“Now it is about collection of information,” he warned.

Hosein noted that the collection of data by ISPs through Deep Packet Inspection (DPI) probes – colloquially dubbed black boxes – had only been implemented on a national scale in China, Iran and Kazakhstan.

“The idea of a black box organised at a central level has not actually yet been done in a democratic country,” he added.

Hosein also pointed out that if, by way of example, an order is placed against Google, then presumably the government is expecting that overseas company to retain communications data and subsequently disclose it on request.

He said that many communication service providers – which includes the likes of Google and Facebook – considered it a challenge to pinpoint which of its customers were based in the UK: many people can sign up to social networks, webmail and similar services without giving away their location and other personal information.

The notion of British taxpayers paying private companies to hoard communications data on behalf of the UK government was unpalatable, he added.

Further, Hosein questioned what might happen if an ISP is ordered by British spooks, police or indeed the taxman to install a DPI box containing technology of a certain specification that is kept secret from the telco.

The Privacy International man doubted that once such a probe was active on an ISP’s network that those companies would then have any control over that gear.

Pickles also warned that, under the proposed law, protesters outside Parliament might, for example, be more easily rounded up and identified by police who could access the comms data sent between individuals in that area. ®

* A copy of the draft bill can be found here [PDF].

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/12/communications_data_bill_joint_committee_day_2/

Microsoft has advised Vista and Windows 7 users to put Gadgets and the Windows Sidebar to the sword, following the revelation of yet-to-be-detailed remote code execution vulnerabilities in the features.

Redmond issued this advisory ahead of an upcoming Black Hat presentation by Mickey Shkatov and Toby Kohlenberg. The two have promised to reveal “interesting attack vectors” in a presentation called “We Have You By The Gadgets”.

Microsoft hasn’t provided any further information about the vulnerability, other than to say that users could install insecure Gadgets that enable remote code execution.

“Gadgets installed from untrusted sources can harm your computer and can access your computer’s files, show you objectionable content, or change their behavior at any time,” Microsoft notes.

Since Gadgets run with the rights of the current user, the vulnerability could allow exploits all the way up to administrative level.

The Microsoft fix disables the Windows Sidebar and Gadgets on all supported Vista and Windows 7 editions.

The unloved Sidebar feature for Gadgets was killed off in Windows 8, as was the Windows Live Gallery used to access Gadgets from the desktop. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/11/disable_stupid_gadgets_says_microsoft/

An attempt to infiltrate the corporate systems of Dutch chemical giant DSM by leaving malware-riddled USB sticks in the corporation’s car park has failed.

Instead of plugging the discarded drives into a workstation, which would have infected the machine, the worker who first found one of the devices handed it in to DSM’s IT department.

Sysadmins subsequently found an unspecified password-stealing keylogger, according to local reports by Elsevier.nl (Google translation here).

The spyware was designed to upload stolen usernames and passwords to a server under the control of hackers. This site was blocked by DSM’s sysadmins, effectively thwarting the password-snatching object of the attack, so the company would be protected even should any other workers find and use the infected USB sticks on corporate laptops.

It’s unclear who was behind the plan, but regular cybercriminals or industrial spies are two strong possibilities. It’s even possible the infected keystroke logger was planted there by a firm hired to test DSM’s cyber-defences, which on the basis of this case are better than those of many other firms.

Using infected USB sticks as a method of smuggling malware into firms has become a regular occurrence over recent years, security researchers note, especially since they featured as the presumed delivery mechanism of the infamous Stuxnet worm. Penetration testers might regard the ruse as too easy, akin to shooting fish in a barrel, a blog post by net security firm Sophos comments. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/11/infected_usb_spyware/

Formspring has told its 28 million users to change their passwords following the discovery of a security breach.

A sample of 420,000 password hashes for the question-and-answer website have been posted online, sparking concerns that the entire user base might have been exposed. In response, Formspring disabled users’ passwords and applied a reset as a precaution.

In a blog post, Formspring’s chief exec and founder Ade Olonoh said that the users’ personal information was not in any way associated with the purloined password hashes, adding that the one-way encrypted strings were in any case salted.

Olonoh blames the slip-up on a poorly secured development server linked to a live (production) database.

“Once we were able to verify that the hashes were obtained from Formspring, we locked down our systems and began an investigation to determine the nature of the breach,” he said. “We found that someone had broken into one of our development servers and was able to use that access to extract account information from a production database.”

Formspring plans to tighten up its hashing mechanisms from SHA-256 with random salts to Bcrypt – based on the blowfish encryption algorithm – in order to bolster security.

Salted password hashes ought to withstand brute force attacks that use rainbow lookup tables.

The exposure follows the LinkedIn breach last month. However early reaction from security watchers, including Graham Cluley at Sophos, is that Formspring has coped better with this breach than LinkedIn did with its hack attack. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/11/formspring_security_breach/

Government-funded black boxes that monitor the UK’s internet traffic are not “the cornerstone” of the Home Office’s web super-snoop plan, a top spook has told MPs and peers.

Ex-MI6 man Charles Farr, who heads up the Office for Security and Counter-Terrorism, dismissed claims that Deep Packet Inspection (DPI) probes are the “central plank” of the government’s Communications Data Bill currently being scrutinised by Parliament.

Instead, he insisted at a committee meeting of politicos on Tuesday afternoon that cooperation with communications service providers (CSPs) such as Google and Facebook was key to the proposed legislation.

Police, spooks and the taxman – among other authorities – would need to use packet-capturing black boxes when CSPs declined to provide access to communications data where it is suspected that criminal activity has taken place, said Farr.

“We could in theory accept that there is a communication service used by criminals where we cannot access any data. But that is not the view of this government,” he said.

If CSPs refuse to provide those authorities with access to such data, a black box would be placed on a network where such information could be hoovered up.

Farr [pictured centre]: ‘I dunno. A black box is about this big, I guess’

Farr added that in those instances the security services would work with ISPs to develop the technology and the telco would store the data.

Interestingly, the government’s Director of Communications Capability Directorate Richard Alcock appeared to indicate that the likes of Google, Twitter and Facebook would be expected to retain unencrypted data on their systems.

All of those CSPs – whose cooperation Farr had earlier described as a “patchwork quilt” – are not only headquartered overseas but have also each implemented the Secure Sockets Layer (SSL) protocol on their services.

Up until yesterday, it was unclear how spooks could intercept traffic when such websites transmit individual user sessions over encrypted SSL channels.

“Through the bill we’ll only be able to access communications data. CSPs will hold unencrypted data on their systems, we’ll need to work with them,” Alcock said.

“It’s very easy to separate content from communications data,” he added before offering reassurance to the committee of politicos by saying “we won’t be applying systems that cannot reliably do that”.

Peter Hill – the Head of Unit for Pursue Policy and Strategy Unit at the Home Office – stressed at the meeting that many CSPs were only too happy to cooperate. The reason for the new legislation, he added, was that “the data that we need is not available rather than that it’s not being shared with us”.

Farr described the discussions his office has had with CSPs as “constructive”. He said: “Those providers understand there is an issue, they want to help to address it but they want a legal process to support it.”

On the issue of DPI, Alcock said black boxes were already “used as a matter of course” by ISPs.

“It’s possible to use that existing kit to establish the who, where and when,” he said before repeating that “if we cannot reliably extract comms data by that route then we won’t do it”.

Farr had earlier defended Home Secretary Theresa May’s draft communications bill – dubbed a snoopers’ charter – by saying that clarity was needed about what data providers should retain. He said a “technical problem” existed with the current Data Retention Directive (DRD) and the Regulation of Investigatory Powers Act (RIPA).

“The lack of data is then compounded by a legal problem because the DRD is not clear about what information should be retained,” he said.

Next page: ‘Necessary and proportionate’ mantra bandied around

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/11/communcations_data_bill_joint_committee/

Microsoft has patched an under-attack zero-day vulnerability in XML Core Services as part of the July edition of Patch Tuesday.

The critical security update (MS12-043) addresses a security flaw that has made its way into the Blackhole Exploit toolkit since its discovery last month. A further two critical updates cover a cumulative security update for Internet Explorer and a remote code execution flaw in MS Data Access Components (a part of Windows), respectively. The six other bulletin issued on Tuesday cover lesser security flaws.

Andrew Storms, director of security operations for nCircle, noted that only under-attack versions of XML Core Services have been patched, as yet.

“The most important patch this month is undoubtedly the XML core services bug,” Storms commented. “Microsoft issued an advisory for this bug in early June and we’ve already seen the exploit in a number of exploit toolkits and attacks have been reported in the wild.”

“[The] XML version 5 patch for the bug isn’t shipping today. The fix for this version is probably not ready yet, so Microsoft decided to deliver the other patches. So far, all the attacks in the wild utilize XML version 3, so this release, even though not totally complete, seems like a no-brainer.”

Storms added that the IE patch is significant because it represents a step up in frequency for browser security updates from Microsoft.

“Usually, Microsoft sticks to an extensive two-month test cycle for Internet Explorer, so that’s why we’ve only seen them every other month,” he said.

“[An] MSRC post says that additional resources have been added to IE testing to reduce the test period. It’s good to know that Microsoft can deliver IE patches faster, but IT security teams are probably less than thrilled, since they are going to see a lot more IE patches, including the one released today.”

Microsoft’s summary of its security bulletins is here. The Internet Storm Centre has published an easier to understand overview here.

The July edition of Patch Tuesday marks the first time Microsoft has made use of an update mechanism that it hardened in response to an investigation into the Flame malware, a cyber-espionage tool that abused certain aspects of Redmond’s update mechanism in order to spread. The investigation into Flame also resulted in Microsoft’s decision to revoke 28 digital certificates, as a precaution.

In an advisory, Microsoft explains that the revoked certificates were vulnerable to spoofing attacks, hence the decision to replace them with something stronger. “Upon a routine review, we are placing these certificates in the Untrusted Certificate Store, and replacing them with new certificate authorities that meet our high standard of public-key infrastructure (PKI) management. We are unaware of any misuse of the certificate authorities, but are taking pre-emptive action to protect customers. This issue affects all supported releases of Microsoft Windows.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/11/ms_july_patch_tuesday/

Cybercrooks have begun deploying a web exploit which detects whether the victim is running Windows, Mac OS or Linux before firing an appropriate Trojan.

The multi-platform backdoor was found on a Colombian Transport site by security researchers at F-Secure. The backdoor uses a JAR (Java ARchive file) to figure out if a user’s machine is running Windows, Mac OS or Linux before downloading the appropriate files for the platform.

Surfers are tricked into agreeing to accept a malicious file under the guise that it is merely a benign applet.

All three malicious files are programmed to connect to a server in order to download additional components. No additional components were actually downloaded at the time F-Secure warned of the attack in a blog post on Monday afternoon.

F-Secure has reported both the command-and-control server and the hacked website to the appropriate authorities.

Attacks that attempt to figure out whether a surfer is using a Mac or a Windows machine before slinging exploits have been seen in a few cases in the past, mostly in association with scareware scams. Such dual-platform attacks remain rare. Multi-platform attacks are rarer still, hence the significance of F-Secure’s find. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/11/multi_platform_backdoor/

Websense has added a slew of new defenses with the launched of Triton v7.7, which it says are designed to prevent the advanced data-theft attacks that have emerged as spear-phishing becomes more sophisticated.

Of particular interest to security managers will be a focus on detecting the more patient attacks (in industry parlance, “low and slow” attacks), exemplified by Stuxnet, Duqu and Flame. Alison Higginss-Miller, the company’s APAC vice-president, told The Register such attacks have been around for many years, but only recently begun to get the attention they deserve.

“If you park malicious software inside an organization, but drip-feed information slowly, it might not raise any red flags,” she said.

If a single customer record leaving an organization doesn’t trip a security trigger, then “the drip feed” can become an open door, Higgins-Miller claimed. To address such threats, Websense’s Triton platform now looks for slower patterns, such as a small number of records leaving an organization on a regular basis.

Triton has also been equipped with OCR capabilities, to look for information leaving organisations in non-document format, such as an insider using screen shots rather than text files to pass information to outsiders.

Another attack vector observed by the company’s labs is to implant an innocuous HTML link in e-mails, allow it to be classified as harmless by security software, and then change it to a malicious link later.

“E-mail security evasion is becoming more common,” Higgins-Miller told The Register. “The approach is this: the attacker takes control of a Website, but doesn’t change the destination immediately. That way, the URL [in the e-mail] gets analyzed and okayed.”

If the e-mail is sent at the right time – for example, on a Friday night – there’s plenty of time to activate malicious code on the target. “Then the recipient comes in on Monday morning, clicks on the link, and is infected.

“We’re trying to anticipate those behaviours, so we now have the ability to mark e-mails for real-time URL sandbox analysis.”

That sandbox has been moved into the company’s cloud, Websense says, so that mobile users get the same protection regardless of location.

To protect against the kind of password-theft that has hit the headlines over the last year or so (courtesy of attacks on Sony, Stratfor, e-Harmony, LinkedIn and others), Triton v7.7 is now analyzing the kind of encryption applied to data exiting an organization. If the platform spots a file using encryption that’s previously unknown on the network (that is, if the attacker’s code is using its own encryption engine), then a high-severity alert is raised to the dashboard. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/10/websense_launches_triton_7_7/

A UK-based phishing fraudster who netted an estimated £300K by targeting students was jailed for three-and-a-half years on Friday, London’s Metropolitan Police confirmed.

Damola Olatunji, 37, tricked victims into submitting their banking details to bogus websites in response to dodgy emails supposedly related to student loans. Prospective marks were falsely told they needed to “update their banking details” in order to receive funds. In reality the submitted account details were used to loot funds, with amounts ranging from £1,000 to £5,000 slurped from compromised accounts. Olatunji managed to obtain the login details of 1,300 student accounts using the ruse, according to police.

The 37-year-old was convicted of fraud worth £304,000 and attempted fraud of £162,000 related to the student loan phishing scam. He was also found guilty of a separate £75,000 fraud against accounts held at the Halifax bank. The conspiracy to defraud the student loan company earned him three-and-a-half years behind bars. He was also sentenced to two years over the Halifax scam and one year for money laundering, with sentences to run concurrently to the main charge.

Separately, Amos Mwangi, 26, was recently jailed for three years and three months over the same type of student loan phishing scam. There’s no evidence the duo were working together but they were both arrested as part of the same operation, involved raids at addresses in London and Manchester, last December. Computers seized from Mwangi revealed he was running numerous computer programs which enabled him to build phishing emails and register fake websites.

Four other suspects were arrested as part of the same raids last December.

Police estimate the group were collectively involved in attempts to steal an estimated total of more than £1.5m from the Student Loan Company.

“Mwangi and Olatunji were determined fraudsters who systematically targeted British students in order to steal large amounts of money,” said DI Jason Tunn of the Met’s Police Central e-Crime Unit (PCeU) in a statement. “Despite the complexity of the investigation, PCeU investigators working closely with the Student Loan Company and other partners were able to identify those responsible and bring them to justice.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/10/student_loan_phishing_fraudsters_jailed/