STE WILLIAMS

Even though the DNSChanger safety net deadline expires in just two weeks, 12 per cent of Fortune 500 firms still have at least one infected machine on their network, according to a new survey.

DNSChanger screwed up the domain name system (DNS) settings of compromised machines to point surfers to rogue servers, redirecting surfers to dodgy websites as part of a long-running click-fraud and scareware distribution racket. The FBI dismantled the botnet’s command-and-control infrastructure back in November, as part of Operation GhostClick.

A court order, twice extended, allowed the Feds to set up replacement DNS Servers that resolved DNS queries from infected machines. This extended safety net will lapse on 9 July. Security laggards – who have had months to act and most recently have been targeted with warning messages from Google and Facebook – will be unable to use the internet normally unless they clean up their systems after this 9 July deadline. Without access to DNS servers it won’t be possible to send emails or surf the web, leaving compromised machines cut off from the interwebs.

Despite the seriousness of these looming problems, a survey by IID (Internet Identity), published on Thursday, discovered that 12 per cent of the Fortune 500 firms and 4 per cent of “major” US government organisations are still infected with DNSChanger. The malware also disables security software and updates on infected machines, further increasing the security risk by leaving compromised machines wide open to secondary attacks.

IID reports that at least 58 of all Fortune 500 companies and two out of 55 major government entities had at least one computer or router on their network that was infected with DNSChanger. By comparison, in January IID, half of all Fortune 500 companies and US federal agencies were infected with DNSChanger, so the situation has improved a long way over the last five months but is still far from satisfactory.

The statistics come from IID’s security intelligence and reputation services as well as data from other security and internet infrastructure organisations.

At its peak as many four million computers were infected by DNSChanger. An estimated 300,000 machines are still infected, according to figures from the DNSChanger Working Group.

Clean-up advice, along with more information and advice, can be found on the DNSChanger Working Group website here. IID has published an infographic about DNSChanger here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/29/dnschanger_rife_as_deadline_looms/

A parental internal controls consultation document released by the Department for Education yesterday is currently exposing the email addresses, unencrypted passwords and sensitive answers of members of the public who fill in the associated form.

Many Register readers have alerted us to the serious security flaw this morning, and some have already reported the possible breach of the Data Protection Act to the the Information Commissioner’s Office.

We contacted the DfE to alert it to the privacy cockup. It was the first the bureaucrats had heard of the problem, apparently, despite users posting comments exposing the issue directly on the site.

Reg reader Daniel said:

“No URL manipulation was required; once I had completed the survey I simply clicked on the link to view my responses, and I was presented with another user’s responses instead. I have reported this breach to the ICO.”

Screenshot from Reg reader Daniel who is clearly not Leona…

“The government consultation website keeps crossing over the identities of logged-in users trying to fill it out, mixing up responses with those of other people and exposing personal details and ‘strictly confidential’ answers to all and sundry. It is a major violation of the data protection act,” Reg reader Jason told us.

El Reg has sought comment from the ICO. More to follow, no doubt. ®

Updated to Add

Since this piece was published the DfE has been in touch with the following statement:

We are aware of a technical problem affecting our Parental Internet Controls consultation website and have taken the site down while we investigate further. We will take all the necessary steps to correct the problem.

The ICO has now told The Register:

We have recently been made aware of a possible data breach which may involve the Department for Education’s website.

We will be making enquiries into the circumstances of the alleged breach of the Data Protection Act before deciding what action, if any, needs to be taken.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/29/dfe_website_security_flaw/

Secunia has taken the wraps off a new version of its consumer patch management tool, Secunia Personal Software Inspector (PSI) version 3.0.

PSI v3.0, released today, offers a free Windows security scanner for private PC users that covers applications from more than 3,000 vendors. The technology differs from previous versions in offering automatic security patch updates for all software application vendors (instead of just a select few) and a simplified dashboard-based user interface. Previous versions of Secunia PSI only provided automatic updates for vendors that made automatic updates available.

Users have the ability to ignore updates to a particular program by creating ignore rules. And the software retains the ability for more technically minded users to dig into update lists. The technology also offers home users the ability to view any out-of-date programs installed for which no security patch is available.

More than five million surfers use Secunia PSI to keep on top of software patching, something that’s become particularly important since the volume and risk associated with vulnerabilities in non-Microsoft (third-party) programs is on the increase.

PSI v3.0 offers support for five languages including French, Spanish, German, Danish and English. The software has been refined by lessons learned during the course of a four-month beta development programme, which began in February. Morten R Stengaard, director of product management and quality assurance at Secunia, said the focus of the Danish firm’s development efforts has been on “simplicity and usability”.

According to the latest version of Secunia’s annual report, the number of end-point vulnerabilities increased once again in 2011 to rack up at total of 800 vulnerabilities. More than half these flaws were rated by Secunia as either ‘highly’ or ‘extremely critical’.

Attacks exploiting vulnerable programs and plug-ins are often not blocked by traditional anti-virus, hence the importance of patching. Keeping third-party programs as well as core windows components up to date is particularly important because attacks against Java and Adobe applications has become a hacker and virus writer favourite over recent years. Secunia PSI is designed as an essential complement to other security technologies, such as anti-virus and personal firewalls, rather than a replacement.

A video explaining the PSI 3.0 is available via YouTube here. Secunia PSI 3.0 can be downloaded from Secunia’s website here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/29/secunia_psi_revamp/

The developer of KeePass, the popular open-source password management utility, has promised an update this weekend following the discovery of a “minor” security bug in the tool.

KeePass Password Safe is a free-of-charge and open-source tool that offers consumers the ability to manage multiple passwords from a central vault. Access to the vault is locked with either a master passphrase or key file. These password vault databases are encrypted.

The KeePass Password Safe tool contains a function to export these database to an HTML file. The vulnerability, which is restricted to older version of KeePass, stems from the fact that the URLs of entries are embedded in the exported HTML file without using XML special characters.

This means that when the URL field of an entry contains a malicious script, this will be executed when the exported HTML file is opened in a browser, at least for KeePass 1.x. Strings in HTML files exported by KeePass 2.x are already encoded, so the latest version of the software is immune from the security bug.

Dominik Reichl, the developer of KeePass, told El Reg that fixing this flaw for KeePass 1.x is a simple matter of making sure that “XML special characters in URLs are encoded in the exported HTML file”.

Reichl acknowledges there’s a problem with older version of his software, hence the development of a patch, but argues malicious attacks against the flaw would be difficult to execute – even in unpatched systems.

“A malicious URL can get into a KeePass database in two ways: either the user enters it manually in the entry-editing dialogue or the user manually imports a database file (not just as attachment),” Reichl explained, adding that in either case a potential attacker is relying on somehow coaxing a user into doing something inadvisable.

“The first way (manual entry) is extremely unlikely to happen; the user would need to be very inexperienced to not notice a script within an URL that he manually enters in the entry-editing dialogue. The second way is a bit more likely, but really how often does it happen that you import a database file that has been sent to you by someone? Also, a user must not look at the imported entries, otherwise he’d notice the malicious URL. And of course the user has to export the data to an HTML file and open it. Don’t get me wrong, I acknowledge the existence of the vulnerability and it definitely had to be fixed, but its severity seems to be a bit overrated,” Reichl concludes.

Reichl adds that KeePass 1.x doesn’t allow plugins that permit the automatic (his emphasis) importing of data from other applications, a factor that restricts the available attack options.

The KeePass bug was discovered by security researcher Benjamin Kunz Mejri of Vulnerability Lab, and publicised by an article on Kaspersky Lab’s ThreatPost blog earlier this week.

Reichl originally planed to release KeePass 1.23 (including the fix) under the original update schedule in a few months. However, in the aftermath of the discovery of the bug, Reichl has rethought this schedule and decided to release the update KeePass 1.23 in three days’ time, on Sunday 1 July. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/29/keepass_password_safe_security_update/

While not as utterly hopeless as last year, IT security is still troublesome in Western Australia’s government agencies.

In last year’s annual audit, the Auditor General strolled through fourteen agency networks in an undetected penetration test. This year, the auditor’s staff have looked at payment security in nine agencies, as well as conducting a follow-up to last year’s tests.

Payment security presented a moderately depressing picture, with four unnamed agencies capturing customer data on their own servers before passing it off to a payment processor – something the report points out leaves the information potentially vulnerable to breaches (although the report didn’t find evidence of actual breaches).

Although the other five were more sensible – redirecting the customer straight to an external payment processor – the report also states that six agencies lack plans to respond to any loss of cardholder data.

In its follow-up to last year’s report, the Auditor-General found gems like cross-site scripting vulnerabilities in three agency servers, a payment vulnerability that allowed the testers to change the price of a purchase item to one cent (but still have the item delivered), and one agency that allowed an unauthorized user to upload files to its Website (which would allow an attacker to upload malicious files).

Two agencies were vulnerable to SQL injection attacks, while another held sensitive personal staff information on publicly-available Web servers. Yet another was more than two-and-a-half years behind on its software updates.

As the report notes, WA government agencies would do well to adopt the Defence Signals Directorate advice on how to keep their systems secure.

The agencies reviewed were the Departments of the Attorney-General, Finance, Housing, and Transport, along with Landgate, the Rottnest Island Authority, Synergy, the University of Western Australia, and the Water Corporation.

Exhibiting a touching faith in “security by obscurity”, the report doesn’t associate any agency with a particular vulnerability. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/28/wa_security_still_slack/

Organisations will not have to abide by data protection laws if it would be too difficult, time-consuming and use up too many important resources to check whether information they hold is personally identifiable, the EU’s Council of Ministers has proposed.

The Council has outlined some revisions (112-page/575KB PDF) to the European Commission’s draft General Data Protection Regulation that was originally published in January. Under its proposals, published by information law experts Amberhawk Training, the Council has suggested amending the definition of ‘personal data’ as well as a recital outlining the scope of when the laws in Regulation would apply to information.

Both the revised definition and recital contain new proposals that would see information declared not personally identifiable if it was too burdensome to assess whether it actually is.

The proposed definition states:

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. If identification requires a disproportionate amount of time, effort or material resources the natural living person shall not be considered identifiable.

The scope of data protection should only apply to “information concerning an identified or identifiable natural person” and “account should be taken of all the means reasonably likely to be used either by the controller or by any other person to identify the individual, unless this would involve a disproportionate effort in terms of time or technical or financial resources,” according to the Council’s proposed recital.

Market researchers, online ad firms won’t benefit

Information law expert, Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said that the proposed amendments do not adequately assist industries whose focus is research and those whose business models are not really focused on the individual.

“Market research companies and academic organisations which really aren’t focused on the individual but on research and, perhaps more controversially, the online advertising industry struggle with this binary distinction between personal and non-personal data,” said Dautlich. “So-called indirectly identifiable data manifests itself online in IP addresses, in cookies and in other forms and it is difficult to follow how in practice this disproportionate effort test would help alleviate the problem.”

Anonymised information that does not allow individuals to be identified and information about dead people should be outside the scope of the data protection law, the Council proposed.

The UK had failed with a suggestion to limit the application of data protection laws under the Regulation to circumstances where a person is “easily identifiable”, the Council’s draft revisions document said.

The European Commission’s draft General Data Protection Regulation was one of two legislative texts the Commission proposed and, if enforced, would introduce a single data protection law across all 27 EU member states. Companies that process personal data of EU citizens from outside the borders of the trading bloc would also be subject to the rules.

However, the presidency of the Council of Ministers detailed proposed revisions to the recitals and first ten articles of the draft Regulation following comments by individual EU member states. The revisions document sets out that there is opposition to the formation of a Regulation at all by some countries in the trading bloc. However, the terms of the Regulation were also heavily contested and resulted in proposals to alter the rules around consent to personal data processing.

Under existing EU data protection laws, and the original draft reforms, obtaining consent from individuals is one way for organisations to obtain a lawful ground to process personal information.

Under the planned reforms organisations operating in the EU would generally have to obtain explicit, freely given, specific and informed consent from individuals in order to be able to lawfully process their personal data, while that consent will not be able to be gleaned through silence or inactivity on the part of individuals. Instead it would have to be obtained through a statement or “clear affirmative action” before it can be said to have been given.

However, the Council reported that some EU member states, including the UK, had raised concerns that requiring consent to be explicit, freely given, specific and informed was “unrealistic” and had “queried its added value.”

Consent can be ‘implied’

Germany had wanted “conditions for electronic consent” to be set out in the text, while the Czech Republic said consent should only be said to have been given if it was “provable” rather than “explicitly” given. However, the European Commission said the Czech Republic’s suggestion did not account for the possibility that consent can be implied and said that there were already provisions in the Regulation to ensure that “consent should not be unnecessarily disruptive to the use of the service for which it is provided.”

Under the Council of Ministers’ plans the “burden of proof” will be on the data controlling organisation to show that they have achieved legitimate consent to processing. The UK said this proposed rule would “put a heavy regulatory burden on companies.” The plans also account for the rights of individuals to withdraw their consent at any time, but revisions have been proposed which state that the withdrawal does not affect the lawfulness of processing based on consent prior to the withdrawal and that “nor shall it affect the lawfulness of processing of data based on other grounds.”

The Council also outlined plans to expand on the number of lawful grounds that can be relied upon to justify personal data processing as an alternative to obtaining consent. Among the proposals are plans to expand on the right of data controllers to process personal data if their “legitimate interests” do not outweigh the fundamental rights of individuals concerned. Under the Council’s draft revisions, the “legitimate interests” of third parties could also be considered as grounds to justify personal data processing where to do so would not interfere with the fundamental rights of individuals.

Further proposed expansions to the lawful grounds for personal data processing include in select circumstances relating to sensitive information and where the processing is necessary to comply with freedom of expression rights, in an employment context or for historical, statistical and scientific purposes, among others.

Revisions have also been suggested to enable personal data that is collected for a “specified, explicit and legitimate purposes” to be further processed “for historical, statistical or scientific purposes” subject to certain “conditions and safeguards” contained in the draft Regulation. Those conditions require, among other things, that the processing only go ahead if the purposes cannot be achieved by processing anonymised data instead and generally that data attributable to individuals is kept separate from “other information”.

The Council of Ministers’ document also detailed views on the application of data protection laws to information posted on social networks. The Commission’s draft Regulation contains a particular provision that exempts the rules laid out in the text from applying to “the processing of personal data … by a natural person without any gainful interest in the course of its own exclusively personal or household activity”.

The Commission said that this ‘household exemption’ should apply to social network users unless they set their privacy settings to ‘public’ “ie, when personal data are available … to an unrestricted number of individuals and not only to a limited audience at large.” The UK had also argued that “selling personal possessions on an auction site” should also fall under the exemption.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/28/council_of_ministers_personal_data/

Google has updated its Chrome browser to address 20 vulnerabilities, none of which are deemed critical.

Chrome version 20 coincidentally covers patches for a score of security bugs, as listed here. Many of the fixed vulnerabilities involve “use-after-free” memory-related security bugs, some of which are rated as high risk.

Users of Chrome on all supported platforms (Windows, Mac, Linux and Chrome Frame) ought to review the cross-platform update. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/28/google_chrome_update/

Australia’s most notorious country town, truck driving, cyber criminal David ‘Evil’ Cecil has been handed a two-and-a-half year prison sentence after being arrested nearly a year ago.

Cecil hacked into telco service provider Platform Networks, owned by the ASX-listed Eftel Group and was charged with one count of an unauthorised modification of data and 49 counts of accessing restricted data. Pleading guilty, Cecil is now eligible for parole in 12 months.

The Australian Federal Police said that Ceil “acted with an extreme and unusual level of malice and with no regard to the damage caused, indiscriminately targeting both individuals and companies.”

The AFP, which ran a six month investigation into his hacking antics, also alleged that his hacking was motivated by ego attempting to prove his kills after complaining he could not get work in the IT sector.

The original attack on Platform Networks was muddied by inaccurate reports that Australia’s National Broadband Network had been hacked as Platform was signed on as an NBN retail service provider, but had not yet gone live on the service.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/28/plaform_hacker_gets_jail_time/

NatWest customers are being targeted by a run of fake “phishing” emails exploiting the recent disruption in the bank’s services, Action Fraud warns.

The fraudulent electronic messages offer prospective marks access to their accounts in exchange for personal information. In reality the opportunistic scam is purely designed to extract personal information to later extract money from compromised accounts or for other forms of ID theft.

“One of the phishing emails, purporting to be from Stephen Hester, the head of RBS, apologises for the problems at RBS and says a ‘security upgrade’ requires [customers] to update their information,” Action Fraud explains.

“But if customers follow the web link in the email, they are taken to an ‘incredibly realistic’ replica of the NatWest website.

“If they do enter their account details on the fake site, the fraudsters will be able to log in to their account and steal all their money. There is also a risk that your identity could be compromised.”

Alan Woodward, a professor of computing at Surrey University, said: “This shows how on-the-ball these opportunistic criminals are. Imagine not being able to access your bank account and then getting one of these.

“Given the number of NatWest customers and the volume of emails that the scammers send, some people are going to fall for it, especially if they are desperate.”

Recipients of the NatWest phishing email are advised to ignore it and on no account to open attachments or enter personal details after following links from such emails. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/27/natwest_disruption_phishing/

Wikipedia founder Jimmy Wales has got over 69,000 signatures on a petition to save a 24-year-old Briton from extradition to the US.

Wales wants British Home Secretary Theresa May to save the youngster from being sent to the US, where authorities want to try him for copyright infringement. The Wiki-daddy sees the plight of O’Dwyer as a test case for the copyright-censorship debate:

The internet as a whole must not tolerate censorship in response to mere allegations of copyright infringement. As citizens we must stand up for our rights online.

Wales lists out his objections to extraditing O’Dwyer:

I’m concerned about this case because O’Dwyer is not a US citizen, his site (TVShack.net) was not hosted there, and most of his users were not from the US. I don’t understand why America is trying to prosecute a UK citizen for an alleged crime which took place on UK soil. If there was a crime it should be investigated and tried here in the UK, not in the US.

Because Wales is not a UK citizen or resident, he cannot use the UK government’s official epetition site: epetitions.gov.uk. Petitions that get at least 100,000 signatures on the government site are considered for Parliamentary debate: there seem as yet to be no official epetitions for O’Dwyer. The Change.org petition seems to be an awareness-raising exercise.

We note that there is another petition related to Jimmy Wales on Change.org, though not initiated by the great man himself. The petition ‘Replace the image of Jimmy Wales with that of a golden retriever‘ came about in response to his annual fundraising campaign which often features images of his face.

“We believe that replacing his face with that of a becoming and equally plaintive Golden Retriever would negate the offputting factor, and in fact increase the appealing factor to a significant degree,” the petition states. However it has only received 14 signatures and is now closed. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/27/jimmy_wales_richard_odwyer/