STE WILLIAMS

A small town US mayor and his son have been arrested over allegations they hacked into a website calling for his recall.

Dr Felix Roque, 55, the mayor of West New York, New Jersey, and Joseph Roque, 22, of Passaic County, allegedly hacked into recallroque.com and illegally accessed e-mails in February. Joseph Roque is accused of gaining control of the administrative email account associated with the dot-com before interacting with its web host, Go Daddy, to shut the site down, The New York Times reports.

The father and son team also “sought to identify, intimidate and harass” those who operated the website and other critics of Roque’s administration, the Department of Justice alleged:

By the late afternoon of February 8, 2012, Joseph Roque had successfully hacked into various online accounts used in connection with the recall website. Joseph Roque then used that access to disable the website. Mayor Roque harassed and attempted to intimidate several individuals whom he had learned were associated with the recall website.

The pair face conspiracy and computer hacking charges over the alleged political dirty tricks. Both charges carry possible fines on conviction of up to $250,000 and the risk of a substantial spell behind bars. The alleged abuse of public trust involved in the case means the charges are being treated especially seriously.

FBI Special Agent in Charge Michael B. Ward commented: “In this instance, an elected official conspired to hack into a website and email account.

“It’s incredibly disappointing that resources have to be diverted from protecting the US against cyber intrusions targeting critical infrastructure, federally funded research and military technology, to address a public official intruding into computer systems to further a political agenda.”

US Attorney Paul Fishman added: “The elected leader of West New York and his son allegedly hacked into computers to intimidate constituents who were simply using the internet to exercise their Constitutional rights to criticise the government.”

Mayor Roque only gained office last year after leading a successful recall against the previous mayor, Sal Vega, and beating him in the subsequent election. West New York has a population of 50,000 and is located around seven miles from Manhattan. It’s unclear whether or not Roque, who describes himself as an “independent conservative democrat”, intends to resign as a result of the charges, The Jersey Journal reports. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/25/us_mayor_hacking_charges/

Facebook may be forced to make changes to its data use policy after campaigners helped drive enough complaints about the company’s own proposed amendments to trigger a user vote on the matter.

Under Facebook’s ‘Statement of Rights and Responsibilities‘ the company is obliged to allow its users to vote on alternatives the company draws up if “more than 7,000 users comment” on its own proposals seeking to change those terms.

Earlier this month the social networking business, headed by billionaire Mark Zuckerberg, announced that it wanted to update its data use policy because the Irish data protection watchdog had asked it to “enhance” it in order “to be even more detailed about how [Facebook] uses information”.

The Office of the Irish Data Protection Commissioner (ODPC) audited Facebook Ireland’s privacy policies and practices late last year after it received complaints about the company’s use of personal data from privacy group Europe-v-Facebook. Facebook Ireland has responsibility for all Facebook users outside of the USA and Canada.

The watchdog told Facebook to make a number of changes to the way it uses and stores its users’ personal data and the way it explains its data use policy. It is due to commence another audit of Facebook in July in order to assess the company’s efforts in meeting these recommendations.

Facebook’s proposed changes to its data use policy include new explanations of its data deletion practices as well as the controls that users have over the sharing of information with third-party applications. However, 47,824 users commented on the plans with many posting opposition to the planned new terms and instead calling for the chance to vote on the “demands” outlined by Europe-v-Facebook.

The campaigners have said the planned changes would not address the concerns they have with Facebook’s privacy practices and have instead outlined their own alternatives. These include requiring Facebook to “implement an ‘Opt-In’ instead of an ‘Opt-Out’ system for all data use and all features (eg, face recognition, applications or tags).”

“Right now, we are going through to see if there are things that make sense to change or that we want to respond to,” Barry Schnitt, director of corporate communications and public policy at Facebook, has said, according to a report by CNET.

More than 30 per cent of “all active registered users as of the date of the notice” would have to vote on the terms of that notice in order for the vote to be “binding” on Facebook, according to the company’s terms.

According to Facebook, the site – which floated on the stock market this month – had 901 million monthly active users at the end of March 2012.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/25/facebook_data_use_policy_up_for_vote/

Police across South East Asia have swooped on an international telephone fraud gang, arresting over 480 people in eight countries after an investigation lasting six months.

The alleged gang members, most of whom are Chinese and Taiwanese, are suspected of conning their victims out of 73 million yuan (£7.3m), according to a Xinhua report.

Although all 510 suspected cases of fraud took place on the Chinese mainland, the suspects were rounded up nations around the region – Thailand, Malaysia, Indonesia, Cambodia, Sri Lanka, Fiji, China and Taiwan – and are said to have established money-laundering operations in Taiwan and Thailand.

Given the size of the group, two chartered planes were needed to fly the Chinese suspects back from Thailand and Malaysia to Beijing on Thursday, while separate planes were needed to transport the Taiwanese members back to their home country to be prosecuted.

China’s Ministry of Public Security led the investigation, which saw six groups of officers sent around the region earlier this month.

Liu Ancheng, Deputy Director of the ministry’s Criminal Investigation Bureau, is quoted as saying that the case was unusual for mainland crime because of the large numbers of Taiwanese involved.

“The group mainly squeezed money from individuals or companies by calling them in the name of police or procuratorate staff and threatening to accuse them of money-laundering crimes,” he reportedly added.

“Ringleaders from Taiwan were deterred by mainland police’s stern crackdown on telecom scams, so they recruited locals in Taiwan to commit this crime.”

Cynical observers may suggest that the criminals’ modus operandi worked so well because of the high level of police corruption in China, which made their phone calls appear credible.

Phone fraud is on the rise in Asia, particularly in Japan where the elderly are often targeted. In fact, the problem is so bad there that Fujitsu recently unveiled technology designed to alert users when they are being scammed. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/25/china_phone_fraud_gang_arrested/

Queensland Police are warning residents of the Sunshine State about a new phishing scam that sees emails arrive in Australian Taxation Office (ATO) livery, complete with promise of a refund.

Such emails are, we imagine here in El RegM’s antipodean eyrie, probably the only email one really wants to open from the ATO.

Queensland advise the email’s subject line is’ Subject: ID: 46 – Tax Refund Notice !’ and that the scam unfurls as follows:

The email advises the recipient to wait 6-9 working days for their “refund” to be received and they are directed to click on a link which appears to start as a genuine “ato.gov.au” email address, but on closer inspection contains a “@hotmail.com” address within the link. The fraudsters tell the recipient they will record their IP address, date and time and threaten that deliberate wrong inputs are criminally pursued and persecuted. When directed to the website recipients are confronted with an authentic looking web page and are required to enter an array of identity details, credit card number, credit card estimated credit card balance and amongst other things to upload a scan of their driver’s license.

The mail is, of course, a scam and no refund will be forthcoming. Instead, identity theft and unwanted credit card purchases await those who fall into this trap.

Detective Superintendent Brian Hay of the State Crime Operations Command’s Fraud and Corporate Crime Group says “While fake emails like the ATO scam email are nothing new, people are still falling victim to it each day. This is very much a concern to us.”

And to us, Detective Superintendent. And to us. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/25/queensland_tax_phishing_warning/

Popular open source network discovery and security auditing tool Nmap has reached version 6.0.

The new code hit the Net last Monday, complete with a message from coder Gordon Lyon, aka Fyodor, that the new version represents “almost three years of work, 3,924 code commits, and more than a dozen point releases since the big Nmap 5 release in July 2009.”

Fyodor recommends all users upgrade to the new version, so they can get their hands on 289 new scripts and a host of new features. The six he rates most important are:

1. An enhanced scripting engine
2. Better web scanning
3. Full IPv6 support
4. A new Nping tool that can generate all sorts of packets
5. Improvements to the Zenmap GUI (pictured below)
6. Faster scanning

Nmap is very widely used, including in Hollywood … which Fyodor proudly points out has used it in more than a dozen flicks, including The Matrix. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/25/nmap_6_released/

Facebook may be forced to make changes to its data use policy after campaigners helped drive enough complaints about the company’s own proposed amendments to trigger a user vote on the matter.

Under Facebook’s ‘Statement of Rights and Responsibilities‘ the company is obliged to allow its users to vote on alternatives the company draws up if “more than 7,000 users comment” on its own proposals seeking to change those terms.

Earlier this month the social networking business, headed by billionaire Mark Zuckerberg, announced that it wanted to update its data use policy because the Irish data protection watchdog had asked it to “enhance” it in order “to be even more detailed about how [Facebook] uses information”.

The Office of the Irish Data Protection Commissioner (ODPC) audited Facebook Ireland’s privacy policies and practices late last year after it received complaints about the company’s use of personal data from privacy group Europe-v-Facebook. Facebook Ireland has responsibility for all Facebook users outside of the USA and Canada.

The watchdog told Facebook to make a number of changes to the way it uses and stores its users’ personal data and the way it explains its data use policy. It is due to commence another audit of Facebook in July in order to assess the company’s efforts in meeting these recommendations.

Facebook’s proposed changes to its data use policy include new explanations of its data deletion practices as well as the controls that users have over the sharing of information with third-party applications. However, 47,824 users commented on the plans with many posting opposition to the planned new terms and instead calling for the chance to vote on the “demands” outlined by Europe-v-Facebook.

The campaigners have said the planned changes would not address the concerns they have with Facebook’s privacy practices and have instead outlined their own alternatives. These include requiring Facebook to “implement an ‘Opt-In’ instead of an ‘Opt-Out’ system for all data use and all features (eg, face recognition, applications or tags).”

“Right now, we are going through to see if there are things that make sense to change or that we want to respond to,” Barry Schnitt, director of corporate communications and public policy at Facebook, has said, according to a report by CNET.

More than 30 per cent of “all active registered users as of the date of the notice” would have to vote on the terms of that notice in order for the vote to be “binding” on Facebook, according to the company’s terms.

According to Facebook, the site – which floated on the stock market this month – had 901 million monthly active users at the end of March 2012.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/25/facebook_data_use_policy_up_for_vote/

A dating website for US soldiers was hacked and its database leaked after it blindly trusted user-submitted files, according to an analysis by security firm Imperva. The report highlights the danger of handling documents uploaded to web apps.

“LulzSec Reborn” hacktivists attacked MilitarySingles.com and disclosed sensitive information on more than 170,000 lonely-heart privates in March this year. Hackers uploaded a PHP file that posed as a harmless text document and then commandeered the web server to cough up the contents of its user and a hashed password database.

Rob Rachwald, director of security strategy at Imperva, said the attack would have been blocked if MilitarySingles.com had filtered user-supplied content.

He added that a similar Remote File Inclusion-style vulnerabilities will exist in other sites that use PHP and actively solicit photos, video and so on.

Imperva reckons more than 90 per cent of the MilitarySingles.com passwords were cracked in nine hours thanks to extended dictionary-based rainbow lookup tables. MilitarySingles.com stored passwords as non-reversible hashes, rather than in plain text, however it did not salt the hashes, which would have made the process of recovering the passwords far more difficult. Insisting on hard-to-guess passwords isn’t good enough unless developers pay attention to encryption best practices, said Rachwald.

The attack against MilitarySingles.com is the only notable assault by LulzSec Reborn. Imperva’s analysis suggests the group has no more than six members, who set out to “embarrass the military”. The crew is apparently “not as motivated” as the original LulzSec, according to Rachwald, adding that it has made little or no contribution to IRC chats and hacker forums.

MilitarySingles.com, which bills itself as the “dating website for single soldiers… and those interested in meeting them”, is run by eSingles Inc.

Government and military personnel ought to have special policies regarding social networking to prevent their information from being easily accessed and manipulated. Rachwald told El Reg that an outright ban is likely to be flouted. Instead soldiers should be encouraged to use pseudonyms and particularly warned against disclosing their location, he said.

An analysis of the website breach was published in the May edition of Imperva’s monthly Hacker Intelligence, which can be downloaded here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/24/militarysingles_lulzsec_hack_disected/

Analysis RSA Security has downplayed the significance of an attack that offers a potential way to clone its SecurID software tokens.

The attack, developed by Behrang Fouladi, senior security analyst at SensePost, offers a potential way to defeat the hardware binding and copy protection embedded in RSA’s software. Having defeated this protection, Fouladi was subsequently able to copy across sensitive parameters, including the all-important encryption seed value and other data associated with a particular software token. This allowed him to run a second cloned instance of a software token on a separate system.

In a demo, Fouladi set up two separate windows XP virtual machines, one running a cloned copy of the authentication software and the other the original software token. Both were cycling through the same sequence of eight-digit numbers.

However a senior RSA Security exec said that, in practice, the attack would only work on a PC already compromised by a rootkit. Given this level of compromised access, an attacker could more or less do anything they’d like anyway, the exec argued.

Essentially, RSA is saying that the attack is possible only with complete control, via a rootkit, or with physical access. But Fouladi disputes this, and says common or garden malware, launched remotely, would be enough.

The science bit

RSA’s SecurID two-factor authentication system is widely used for remote access logins to corporate networks through virtual private networks (VPNs) and other similar applications. Users log into corporate networks using a password known only to them as well as a temporary token code, generated by a hardware or software token. This token code, which changes every 60 seconds or so, is derived from a secret seed value cycled through a cryptographic algorithm.

The AES-based code generation algorithm used is known, so the security of the system depends on keeping seed values – which are different for every token – secret.

RSA SecureID software tokens are available for a wide range of smartphones and Windows desktops.

Fouladi focused on the Windows version of the technology, which (like smartphones) he reasoned would not be able to provide the level of tamper-resistance that hardware tokens offer. Sure enough he discovered a means to clone a SecurID software token after reverse-engineering Windows’ versions of RSA’s technology. He extracted secret keys from an encoded SQLite database after circumventing copy protection and hardware binding protections. This key step was accomplished, in part, by taking advantage of previous research, as Fouladi explains.

Previous research on the Microsoft Windows DPAPI internals has made offline decryption of the DPAPI (Data Protection Application Programming Interface) protected data possible. This means that if the attacker was able to copy the RSA token database file along with the encryption master keys to their system (for instance by infecting a victim’s machine with a rootkit), then it would be possible to decrypt the token database file on their machine.

He was subsequently able to get an extracted seed working on another machine, in part using a combination of the host name and current user’s Windows security ID from the primary box. The process allowed him to run a sequence generator and generate valid codes on the second machine.

Software tokens are supposed to be tied to a particular piece of hardware. Cloning would break this security model wide open.

If an attacker gains access to a machine inside a corporate network, using spear phishing and malware, he might be able to lift SecurID software tokens, gaining compromised access to a SecurID-protected network in the process. Other attack scenarios featuring direct access to stolen machines by thieves or mendacious hotel staff are also possible.

Fouladi has published his research, including a proof-of-concept demo, in a blog post entitled “A closer look into the RSA SecureID software token” here.

Next page: Governments, spies and military goons: Be warned

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/24/rsa_downplays_secureid_token_clone_attack/

Yahoo! today released its Axis extension for Chrome – and accidentally leaked its private security key that could allow anyone to create malicious plugins masquerading as official Yahoo! software.

Australian entrepreneur Nik Cubrilovic, who last year garnered notice for identifying Facebook’s tracking cookies, revealed the certificate blunder on his blog, and said users should not install the extension “until the issue is clarified”.

Cubrilovic peeked into the extension’s source code and found the private certificate, which Yahoo! uses to sign the application to prove it is genuine and unaltered. The result, he says, is that a miscreant could forge a malicious extension that would be verified by Google’s web browser as coming from Yahoo!

There are all sorts of attacks that could be executed with a spoofed extension; the most obvious of these, as Cubrilovic notes, would be to create and sign a traffic logger to capture a victim’s web activity. He wrote:

The certificate file is used by Yahoo! to sign the extension package, which is used by Chrome and the webstore to authenticate that the package comes from Yahoo! With access to the private certificate file a malicious attacker is able to create a forged extension that Chrome will authenticate as being from Yahoo!

The clearest implication is that with the private certificate file and a fake extension you can create a spoofed package that captures all web traffic, including passwords, session cookies, etc. The easiest way to get this installed onto a victim’s machine would be to DNS spoof the update URL. The next time the extension attempts to update it will silently install and run the spoofed extension.

He’s also produced a proof-of-concept of a spoofing attack and written up instructions on how to remove the extension.

Yahoo! has since apologised and posted a replacement web search extension that doesn’t include the private half of the security certificate. The new plugin, billed as a search browser, is also available for Firefox, Internet Explorer, Safari, and iPhones and iPads. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/24/yahoo_ships_private_certificate_by_accident/

Analysis Pipex subscribers struggled to send emails for several days after antivirus biz Trend Micro declared the ISP’s network a source of spam.

Messages sent via Pipex’s servers were either blocked or deliberately delayed by internet providers and businesses that rely on Trend Micro’s services to filter emails.

El Reg stepped in to investigate Pipex’s blacklisting after a reader complained to us about the week-long blockade.

“It is murder for businesses like mine as we don’t know whether Pipex emails will be rejected at the moment – and this type of delay blocking takes three days to bounce back,” he said.

Trend Micro said the decision to classify Pipex’s IP blocks as a source of unwanted email was not taken lightly, and insisted it was right in doing so.

“The IP addresses of the Pipex MTA [mail transport agent] have been sending spam and also malicious emails, probably because they have client PCs on their network that are infected and originating spam,” Rik Ferguson, director of security research and communication at Trend Micro explained.

“We would love for the ISP to work with us to help them get this cleaned up; it’s not a false positive,” he added.

Pipex is owned by TalkTalk, which we have chased for an explanation about the block since Tuesday, 14 May, soon after our reader first got in touch. The blockade was lifted the following day.

“I think you raising the subject was enough – problem has now disappeared,” our chuffed reader said. “The Trend AV-equipped Exchange servers, which were not accepting or delaying my Pipex mail, have now all started accepting it as per usual.”

Despite putting in several emails and phone calls over the course of more than a week, The Reg has yet to receive a substantive explanation from (the ironically named) TalkTalk on how its systems ended up on a spam blacklist.

Even though the email blockade was eventually lifted, the cause and what can be done to prevent a repeat of this blunder is surely worthy of comment.

The same lack of communication from TalkTalk was, we’re told, a key factor in Trend identifying Pipex’s network as a source of spam in the first place.

Silence of the LANs

In a detailed email, Ferguson said that before Trend Micro’s Realtime Blackhole List – a message reputation checking service – slams the ban-hammer on an ISP’s network, the accused telco is given two chances to explain itself.

Only in cases where there is both no communication and no improvement in spam levels is a blacklisting applied. Ferguson said Trend Micro contacted Pipex after monitoring a “fairly wide spectrum” of phishing, unlicensed pharmacy and malware-tainted spam mails spewing out of the broadband ISP’s network. Its grievances – which it’s alleged received no response, hence the ban – can be found here.

IP addresses are removed from the blacklists either automatically if they were under a short-term ban or manually if the spam stops.

Ferguson explained:

There are two kinds of listings that Trend Micro does. The first kind is a fully automated response to spam – when we see our customers being affected by a spam run, we put the origin addresses on a short-term list.  This list is used by our customers to temporarily delay messages from that origin address, or to mark it differently as mail is accepted. These listings are particularly effective against bot-originated spam. The listings automatically expire after a period of time, which varies in response to the frequency of listing.

The second kind is the RBL – the Realtime Blackhole List.  Addresses are added to the RBL by an entirely manual process – there is no automation here. When our investigators find a pattern of spam over time, they will compile an RBL nomination. The nomination consists of representative spam samples, addresses, and other information which the investigator deems appropriate to the case. The nomination is then emailed to the registered abuse address for the address(es) affected. The investigator waits for, and documents, any responses received. If the spam does not stop, the investigator then sends the nomination up for a pending listing, which is reviewed by a manager. If approved, a second notice is automatically sent to the registered abuse address, and the listing is made active.

Once an RBL listing is made, we require the ISP to take effective action to stop the spam.  We monitor this action, and if the investigator sees the spam stop, they will remove the listing.

Because there are multiple people involved with checking an RBL listing, it is exceedingly rare that a mistake is made. In each case of an RBL listing, we have spam-on-hand, and can produce that on request for the ISP. The size of the ISP behind any given IP address is not a factor in our decision to list on the RBL; the fact that we have spam from that address, and that there has been no action to reduce the spam, is.

Because the ISP receives at least two notices from us, we feel that they have adequate time to deal with the problem.

Ferguson added that an internet service provider simply has to answer messages sent to its official abuse email address to keep its IP addresses off the blacklist.

“It’s really that simple. As long as we see regular communications from the ISP, and the spam is reducing, no RBL listing will be made. Many ISPs choose not to man their abuse desk, use automation to ‘direct’ complaints to end users, or (worst of all) spam filter their abuse desk address,” Ferguson explained.

“Naturally, these are often the same ISPs that claim that an RBL listing is a ‘false positive’. We just want the spam to stop,” Ferguson concluded. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/24/pipex_zombie_spam_blacklist/