STE WILLIAMS

British intelligence agent Dr Gareth Williams’ last mission before he was “unlawfully killed” was to infiltrate and report on US hacker meetings, evidence given at his inquest this week has indicated.

Williams appears to have been one of a team of intelligence officers and agents sent to penetrate hacking networks in the US and the UK.

At first sight more Austin Powers than James Bond, Williams is the first spy geek to be publicly unmasked, in sadly sensational circumstances.

His naked and decomposing body was found in the foetal position inside a sports holdall in the bath of his central London flat on 23 August 2010, one week after he had failed to turn up for work at SIS – aka MI6 – headquarters in Vauxhall Cross, London.

Coroner Dr Fiona Wilcox said yesterday that she was satisfied that a third party had placed the bag with his body into the bath and had also, “on a balance of probability”, padlocked it shut.

According to pathologists and escapologists who testified during her enquiry, the padlock on the almost airtight enclosure sealed his fate, stupefying and then killing him within minutes from CO2 poisoning.

His death was “was unnatural and criminally mediated”, she said. It was not suicide.

Gareth Williams

Who shut the lock on the holdall is a question that the coroner said could not be resolved with the evidence available. “Most of the fundamental questions in relation to how Gareth died remain unanswered,” she said.

The compelling answer is a sex date a week before – somebody he had invited in to play bondage games and who may have panicked and fled when Williams lost consciousness, or sadistically locked the bag and left him to suffer.

Whoever he or she was, they did not leave enough DNA or forensic traces for detectives to have made progress to date. But the police forensic examination team, who checked through Williams’ Mac laptop and iPhone collection, seem to have been blithely unaware of how many digital traces they may have missed or how much more may still be out there.

Williams’ last espionage targets were participants in the Black Hat and Defcon 18 hacker and security conferences held in Las Vegas in July 2010. His SIS manager told the enquiry that Williams was one of a “group” of agents tasked to attend the conferences.

The inquest was told about the unique Defcon 18 badge that had been found in his flat. The gimmick features a reflective display and an embedded digital signal controller that geeks were invited to manipulate.

Previously, as an operational officer, Williams had met two SIS agents working in the field in Britain, although not as their case officer or handler. Had he had not become cheesed off with SIS, the inquest was told, he would have been assigned abroad as a British secret agent. A few months before his death, he asked to go back to GCHQ.

Williams’ working life, after graduating with a first in mathematics in 1996 aged 17, was spent in Cheltenham at GCHQ, Britain’s signals intelligence agency. He joined in 2001 after completing a PhD in computer science at Manchester University. His final role in GCHQ had been designing “practical applications for emerging technologies”.

In 2007, he applied to become a secret agent by transferring to SIS, the UK’s human intelligence agency responsible for spies and spy recruitment. He was put through a series of aptitude and skill tests. He failed. He also attended Black Hat 16 the same year, according to an SIS witness, presumably also then staying on to attend Defcon.

In 2008, he tried again to join SIS, and this time passed the tests. He started in spring 2009 after moving to London, and took part in five SIS training courses before embarking on “active operational work” within UK.

To spy on geeks, you need to hire a serious and thoroughly convincing geek.

Next page: ‘There is a history of sending intelligence agents to Defcon’

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/03/gareth_williams_inquest/

Apple customers are more at risk from malware now because of their misconception that their iDevices and Macs are secure and because of Apple’s poor attitude to security, according to experts.

David Emm, senior security researcher at Kaspersky Lab told The Reg that Apple had cultivated the image of the Mac as intrinsically safer than PCs and now that Macs were under attack from bot armies like the Flashback Trojan, the fruity firm would have to change its attitude.

“I think it will take some time before we see a significant change in attitude from Apple,” he said. “It’s not simply about code, but about adopting a different security posture and updating and reviewing processes that reflect this.”

Because Mac users have long believed that their computers are safe from malware – and Apple fostered this belief in ads like the 2006 one that compared the healthy Mac to the sick PC – they are intrinsically more at risk compared to wary Microsoft users.

“Even when Apple added signature detection to Mac OS, in the form of it’s ‘XProtect’ module, it was done quietly, without any sort of fanfare,” says Emm.

“I think Mac customers are more at risk because of the historical mis-perception about Mac security.  But I would hope that Flashfake will be a wake-up to anyone using a Mac, that they need to secure themselves from online threats.”

Eugene Kaspersky, founder and CEO at the Lab, told Computer Business Review last week and confirmed to The Reg that Apple was about ten years behind Microsoft in terms of security.

Kaspersky Lab thinks that this is just the start of the attacks that the fruity firm can expect now that Macs have become so much more popular.

“For many years I’ve been saying that from a security point of view there is no big difference between Mac and Windows,” he said.

“Cyber criminals have now recognised that Mac is an interesting area. Now we have more, it’s not just Flashback or Flashfake. Welcome to Microsoft’s world, Mac. It’s full of malware.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/02/kaspersky_apple_flashback_microsoft/

Code posted online that can skim the last known IP address of users is being checked out by Skype as a possible security flaw.

The software, posted on Pastebin, works on a patched version of Skype 5.5 and involves adding a few registry keys that allow the attacker to check the IP address of users currently online without calling them. Services like Whois will then give some other details on the city, country, internet provider and/or the internal IP-address of the target.

“I’ve tested this and it does what it says on the tin,” blogged Nick Furneaux, MD of security researchers CSITech. “I was able to extract the external and internal IP’s of a friend in the US to within a few miles of his house, a buddy in Asia to within a few streets and my own to just a few miles down the road. More concerningly the internal IP combined with the internet facing address provides the basis for a direct probe and then attack of any individual on Skype’s global address book.”

He said a website had been set up to provide an easier way to exploit the IP tracking but that it hadn’t yet been checked out for malware. The site is down at present.

Before everyone panics, it is not clear if the problem affects the current corporate build of Skype or just the deobfuscated build mentioned in the posting. Skype, and presumably Microsoft given the amount of integration Redmond is planning with its code base, are no doubt hoping it’s the latter situation. In any case, simply turning off the software when you’re not using it minimizes any threat window.

“We are investigating reports of a new tool that captures a Skype user’s last known IP address,” Adrian Asher, director of product security at Skype told El Reg in an emailed statement. “This is an ongoing, industry-wide issue faced by all peer-to-peer software companies. We are committed to the safety and security of our customers and we are taking measures to help protect them.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/01/skype_ip_security/

The ‘Engineer Doe’, who designed Google’s Street View Wi-Fi software to collect personal data, has been named by an American newspaper.

The engineer is reportedly Marius Milner, developer of the popular NetStumbler wardriving programme for Windows. Milner describes his occupation as a “hacker” on his LinkedIn page.

Google initially denied collecting personal information using its street-mapping camera-car fleet, then admitted it had captured unsecured Wi-Fi traffic but blamed a lone gunman slurper: a so-called “rogue engineer” who wrote the software in his “20 per cent time permitted for self-directed projects”.

An investigation by the Federal Communications Commission demolished this theory, however. The FCC found Google guilty of obstructing its investigation but concluded that collecting personal data from unsecured wireless networks did not breach the US Wiretap Act.

Privacy group EPIC says the FCC report “undercuts the company’s prior statements that a rogue engineer was responsible for the payload data collection”.

“Instead,” the organisation added, “it indicates that Google intentionally intercepted payload data for business purposes and that many supervisors and engineers within the company reviewed the code and the design documents associated with the project.”

Google itself released the FCC’s report into its Street View data collection activities on Saturday, with most of the details readable – some portions remain redacted. Groups including EPIC and Consumer Watchdog have filed Freedom of Information requests to access all of the documents in the case.

An independent source code analysis of the engineer’s work, commissioned by Google, is now available [PDF, 486KB].

A little business context, missing from most press reports on this story, is useful to remember here. It concerns a firm called SkyHook.

SkyHook is a Boston-based company that had already compiled a nationwide database of Wi-Fi access points. The biz merely collected SSID and signal strength – not personal data. SkyHook’s database was used by licensees of Google’s Android operating system for locations services. Eighteen months ago, SkyHook filed a suit claiming that Google had strong-armed Android licensees to use Google’s location database instead of SkyHook’s.

Far from being the work of a “lone slurper” tinkering in his own time, the software could be seen as creating an essential component of the Street View software stack. Google’s Wi-Fi access point database was considered to be of enormous strategic significance.

Google’s strategy after the data-slurp is proving to be much more interesting than the actual packet sniff. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/01/slurp_engineer_doe_named/

Terror group Lashkar-e-Taiba has developed its own VoIP network that connects its members over GPRS networks, according to the Times of India.

UK and US authorities have both declared Lashkar-e-Taiba a proscribed terror organisation. The group’s aims include India ceding sovereignty over Kashmir. Members of the organisation participated in the 2008 attacks on Mumbai.

The VoIP network is frustrating India’s intelligence community, the report says, because it means they can no longer trace the group’s members as it is far harder to spy on than email or commercial VoIP services.

“Earlier, we could intercept conversations on phone or locate Lashkar cadres based on their IP addresses through their emails,” an intelligence source told the Times. “But now we’re finding it tough to gather intelligence because Lashkar men hold audio or video conferences using private VoIP.”

The network even has a name: Ibotel.

The report says Laskar-eTaiba recruited “technicians, engineers and information technology executives … intensify its operations across India.” Some of those recruits, the report suggests, developed Ibotel as the group sought more secure methods of communication. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/01/terror_group_voip/

Terror group builds secure VoIP over GPRS network: report Secret comms network eludes spooks Terror group Lashkar-e-Taiba has developed its own VoIP network that connects its members over GPRS networks, according to the Times of India.

UK and US authorities have both declared Lashkar-e-Taiba a proscribed terror organisation. The group’s aims include India ceding sovereignty over Kashmir. Members of the organisation participated in the 2008 attacks on Mumbai.

The VoIP network is frustrating India’s intelligence community, the report says, because it means they can no longer trace the group’s members as it is far harder to spy on than email or commercial VoIP services.

“Earlier, we could intercept conversations on phone or locate Lashkar cadres based on their IP addresses through their emails,” an intelligence source told the Times. “But now we’re finding it tough to gather intelligence because Lashkar men hold audio or video conferences using private VoIP.”

The network even has a name: Ibotel.

The report says Laskar-eTaiba recruited “technicians, engineers and information technology executives … intensify its operations across India.” Some of those recruits, the report suggests, developed Ibotel as the group sought more secure methods of communication. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/01/terror_group_voip/

A year after it was first discovered, a backdoor in industrial networking kit from Canadian RuggedCom is to be fixed – sometime soon.

The company, a Siemens subsidiary via acquisition in March, has announced that it will release new firmware disabling backdoor access to devices running its ROS operating systems. These include Ethernet switches and serial-to-Ethernet converters.

The vulnerability was made public by Justin W Clarke on the Full Disclosure list, including his claim to have notified the vendor last year and, after an eight-month hiatus, notifying US-CERT in February.

RuggedCom says all versions of its firmware prior to ROS v3.3 can be backdoored via the serial console, ssh, https, telnet and rsh; later versions can’t be attacked via ssh or https, but are still vulnerable via telnet or rsh if these services are switched on (they’re enabled by default, but can be switched off in ROS v3.3 or later).

The vulnerability was created by what seems to be a clumsy attempt to allow access to devices if the customer loses a password. The undocumented “factory” account generates a password based on a hash of the device’s MAC address.

However, with both a default account and a default state that made remote access available, devices were vulnerable to anybody that knew the secret. When the new firmware version ships, the factory account will be removed, and telnet and rsh will be disabled by default. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/30/rugged_com_blocking_backdoor/

Google knew its Street View cars were slurping personal data from private Wi-Fi routers for three years before the story broke in April 2010.

When the revelations were made, Google said its map service’s cars were merely collecting SSIDs and MAC addresses. The following month, it said network data had been captured, but this was the work of one engineer.

Six months later Google conceded that payload data, including emails and passwords, was recorded by the roving photo-motors – but still blamed a rogue engineer.

An investigation by the Federal Communications Commission leaves no ambiguity: an engineer discussed the collection of the personal data with a senior manager, and that between May 2007 and May 2010, wireless traffic was captured by Street View cars.

“Are you saying that these are URLs that you sniffed out of Wi-Fi packets that we recorded while driving?” asks the manager, a question the engineer affirms. Both identities are concealed: the developer is referred to as “Engineer Doe”.

The FCC released the full report [PDF, 4.5MB] on Saturday.

Google argued that the interception of payload data from unsecured wireless networks does not breach the Wiretap Act. The eavesdropping was not necessarily unlawful, the FCC accepts, and could not find evidence that Google had used the stored data illegally.

However, the regulator concluded that Google hobbled its investigation and fined it $25,000 for non-compliance. That’s rather less than the $8.5m paid out to settle private suits over its now-abandoned Google Buzz service.

“For many months, Google deliberately impeded and delayed the bureau’s investigation by failing to respond to requests for material information and to provide certifications and verifications of its responses,” the FCC wrote.

Google asked a third-party to examine the code, and that technical report has is now publicly available. It confirms that data frames were captured from unsecured networks, and SSID and MAC addresses captured from all Wi-Fi networks found by the Kismet packet-sniffing software.

The ability to capture payload data was outlined in a design document – clearly described as “information about what they were doing”. But Engineer Doe decided that it was not a privacy concern because the Street View cars would not be “in proximity to any given user for an extended period of time” (phew) and that “[n]one of the data gathered would be presented to end users of [Google services] in raw form”.

The engineer added “discuss privacy considerations with privacy counsel” on his to-do list, but despite a line-by-line internal review of the code, no meeting ever took place.

A senior manager at Google told the FCC he pre-approved the design document before it had been written.

Google co-founder Sergey Brin recently confessed a fascinating desire to The Guardian newspaper: “If we could wave a magic wand and not be subject to US law, that would be great. If we could be in some magical jurisdiction that everyone in the world trusted, that would be great. We’re doing it as well as can be done.”

You can see why. Google’s rap sheet [PDF, 60KB] grows by the day – and details an impressive list of the company’s ongoing litigation on privacy, market abuse and IP abuse charges. ®

Bootnote

The FCC doesn’t outline what procedures Google is taking to ensure employees and managers take greater responsibility for privacy sensitive work. The New York Times reports that Google is offering employees courses in “mindfulness” – devised by a Google engineer. Steps include “self-knowledge” and “self-mastery”.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/30/google_slurp_ok/

The UK’s Information Commissioner’s Office (ICO) has slapped its first fine on the NHS after a mental health patient’s file was leaked in an email gaffe.

The ICO handed the Aneurin Bevan Health Board in Wales a bill for £70,000 for sending the sensitive information to the wrong person.

A consultant from the NHS organisation emailed a letter containing a detailed psychological report of a patient to a secretary for formatting. But the doctor used two different spellings for the patient’s name, which resulted in the file being sent to the wrong person who had the name with the different spelling.

The ICO, which gained powers to hand out stiff fines about 18 months ago, doesn’t always resort to what it calls civil monetary penalties when it’s told or finds out about a breach of data protection law – but it fines bodies when it thinks that the right precautions haven’t been taken.

In this case, the office’s probe found that neither of the staff members had been given adequate training, and there weren’t enough checks in place to stop private information falling into the hands of the wrong people.

“The health service holds some of the most sensitive information available. The damage and distress caused by the loss of a patient’s medical record is obvious, therefore it is vital that organisations across this sector make sure their data protection practices are adequate,” the ICO’s top enforcer Stephen Eckersley said in a canned statement.

“We are pleased that the Aneuvin Bevan Health Board has now committed to taking action to address the problems highlighted by our investigation; however organisations across the health service must stand up and take notice of this decision if they want to avoid future enforcement action from the ICO,” he warned. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/30/health_board_data_breach_fine/

B-Sides Window Phone 7 is not yet fit for enterprise deployments, according to an application security expert.

David Rook, application security lead at Realex Payments, told delegates at the B-Sides conference in London that the youngest of the smartphone operating systems is less mature than either Google’s Android or Apple’s iOS. Rook’s well-received presentation focused on how developers can produce apps for consumers that are free from common application security vulnerabilities.

The most important issues to focus on are privacy, authentication and authorisation and secure storage. Rook said other issues in application security such as input validation ought not to be neglected but are less important in practice than the three top areas he outlined.

“We need input validation but most problems in practice are caused by top three risk areas,” Rook explained.

The current Windows Phone 7 framework doesn’t allow app to access data held by other apps. Microsoft is likely to reverse this, according to Rook.

Examples of possible problem areas include flaws in mobile ad libraries and the like from third-party suppliers.

Window Phone 7 is based on the .Net developer framework and many of the same security principles apply. “There are no new issues in app security here that we don’t now how to review and test,” Rook explained.

The smartphone OS has various in-built security features but “like any security system it’s only a matter of time before these get broken,” Rook warned.

Rook has developed a utility called Windows Phone App Analyser to assist software creators in uncovering possible problems. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/30/window_mobile_7_security/