STE WILLIAMS

Last year, Oxford university demonstrated the use of quantum fluctuations to generate random numbers. Now, the Australian National University has gone a step further – putting its quantum-generated random numbers online.

“Vacuum noise” is one of those “couldn’t possibly be true, except that it is” characteristics of quantum mechanics. Knowing for certain you have an absolute vacuum with nothing inside it violates various refinements of Heisenberg’s uncertainly principle; the universe protects uncertainty by giving rise to virtual particle-antiparticle pairs that mutually annihilate.

And for researchers also know, this can be a pain in the neck for researchers working at quantum scales – so that it creates measurable interference in devices like gravity wave detectors.

It is, however, very useful for applications like cryptography.Since the vacuum fluctuations are completely random, this area of physics is keenly researched to develop better random number generators, with a number of different approaches trying to exploit the strangeness of the quantum universe.

Team member Dr Thomas Symul explains: “Vacuum noise is one of the ultimate sources of randomness because it is intrinsically broadband and its unpredictability is guaranteed by quantum theory. Because of this, we are able to generate billions of random numbers every second.”

The ANU table-top random number generator looks for the impact vacuum fluctuations have on light beams. A laser source is split, and the power in each beam is measured.

“Because light is quantised, the light intensity in each beam fluctuates about the mean”, the university explains. The ultimate source of that noise is quantum fluctuations – the brief, evanescent lives of virtual particles.

And the ANU is putting its random numbers where its mouth is, at this site. Users can stream random numbers in hex, binary, or encoded as RGB colours.

Anybody downloading random numbers from the site, the ANU says, will receive a unique sequence different from all other users.

The university is now working with an Australian company, QuintessenceLabs, to commercialize and miniaturize its research to give users a thumb-drive-sized quantum random number generator of their own.

ANU’s work is published in Applied Physics Letters, abstract here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/15/anu_quantum_random_number_generator/

Hard on the heels of the Flashback Trojan, Kaspersky Labs is warning of a new OSX threat, which it’s dubbed Backdoor.OSX.SabPub.a.

In a post to Securelist, Kaspersky’s Costin Raiu says the Trojan connects to a command and control server hosted on a Californian-based VPS associated with the Onedumb.com free DNS.

Apparently a month old, the Trojan uses a Java exploit given the name Exploit.Java.CVE-2012-0507.bf in the Kaspersky post, with the ZelixKlassMaster obfuscator to try and get past malware detection products.

Although Raiu says the infection vector is “not clear”, he said there are reports suggesting the Trojan is spread via e-mails directing users to URLs hosting the malware (located in the USA and Germany).

In a second post, however, Raiu fingers infected Office documents as the vector. He also states that the Trojan is in “active stage”, after the CC server took control of a “goat” machine operated by Kaspersky and started looking for documents.

Similarities to the LuckyCat attacks, which also used infected documents, lead Raiu to suggest that like the earlier malware, SabPub may be targeting Tibetan activists. One of the document names Kasperky Labs has turned up in its analysis of SabPub, “10th March Statemnet” (sic), invokes the date of announcement by the Deli Lama.

The Microsoft Office vulnerability exploited by SabPub is CVE-2009-0563. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/15/new_osx_backdoor/

Facebook has issued a statement explained why it is supporting the Cyber Intelligence Sharing and Protection Act (CISPA) HR 3523, which is currently being considered by Congress.

CISPA would set up a mechanism for the government’s security services to share information on new threats with private companies and utilities. In return, those companies can share data on their users with the government if requested, and the bill ensures they are bulletproof from legal fallout if people complain. Data sharing is voluntary and some data can be stripped of identifying features.

But internet rights campaigners are concerned that the loose language of the legislation will leave it open to be used in a much wider context than national online security. Dan Auerbach, staff technologist with the Electronic Frontier Foundation (EFF), told The Register that the provisions of the bill could be stretched to include sharing data for crimes like piracy.

“The biggest problem with the bill is that it’s too vague,” he explained. “The language in it now is broad enough that it could be used to allow, or compel companies, to do copyright enforcement.”

He explained that while the information exchange was voluntary, the government is adept at encouraging companies to play ball. Access to lucrative federal contracts could be offered to those who are willing to cooperate and compliance might be written into such contracts. It’s a pattern of behavior that’s been noted before, he said.

The bill will be debated in the US House of Representatives this month, and has attracted over 100 co-sponsors. There’s also an impressive list of technology companies lining up to support CISPA, including Microsoft, Intel, EMC, Oracle and Facebook. Facebook is the only company to respond to El Reg‘s requests for comment, and then it stuck to a general statement.

“HR 3523 would impose no new obligations on us to share data with anyone – and ensures that if we do share data about specific cyber threats, we are able to continue to safeguard our users’ private information, just as we do today,’ said Facebook’s Joel Kaplan, vice president of US public policy in a statement on the site.

“We recognize that a number of privacy and civil liberties groups have raised concerns about the bill. The concern is that companies will share sensitive personal information with the government in the name of protecting cybersecurity. Facebook has no intention of doing this and it is unrelated to the things we liked about HR 3523 in the first place.”

Facebook’s support was seen as important in persuading legislators to drop the proposed SOPA and PIPA laws, along with the market and lobbying muscle of Google. The Chocolate Factory isn’t listed as a supporter of the legislation and it has not replied to requests for comment.

A committee staffer working on the bill told The Register that the provisions of the bill were open to amendment and that talks are ongoing between civil liberties groups and the bill’s sponsors that would clear up many of the issues. A series of amendments will be introduced next week, which should allay concerns over the scope of CISPA.

In particular, the staffer said that there is a provision within CISPA that explicitly bans the government from insisting on getting information on customers in exchange for security information, and any exchange would be absolutely voluntary. There is also no provision for the data to be used just for intellectual property theft, and the IP clauses in the bill had been included were intended to go after overseas players going after military or commercial data via network hacking, not file sharers.

“They’re not looking for some kid in the Dallas suburbs hacking into his school to change his grade,” the staffer said. “This is about foreign intelligence services and organized crime figures from overseas.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/14/cispa_facebook_support/

Apple has released a tool that removes the infamous Flashback Trojan from infected Macs.

The utility, billed as a Java security update, also disables Java applets by default – but only on machines running OS X Lion, the latest version. The update turns off Java applet execution by default for all browsers, not just Safari.

Users can re-enable this if necessary, perhaps to use an online banking site that mandates Java, but the functionality is disabled again automatically in the absence of applet use within 35 days, as Apple’s security bulletin for Lion explains:

This Java security update removes the most common variants of the Flashback malware.

This update also configures the Java web plug-in to disable the automatic execution of Java applets. Users may re-enable automatic execution of Java applets using the Java Preferences application.

If the Java web plug-in detects that no applets have been run for an extended period of time it will again disable Java applets.

Java for OS X Lion 2012-003 delivers Java SE 6 version 1.6.0_31 and supersedes all previous versions of Java for OS X Lion.

This update is recommended for all Mac users with Java installed

The picture is different for Mac users running Snow Leopard, where disabling Java in your browser won’t happen automatically, as explained in a blog post by Paul Ducklin of Sophos here. The update for Snow Leopard does include Flashback Trojan removal, as explained in Apple’s bulletin here.

Both the OS X Lion and Snow Leopard updates, released on Thursday, come with a patched version of Java that was made available in a separate set of updates earlier this week.

Apple has made good on its promise earlier this week to release a Flashback removal tool but the move came after several security firms independently released their own Flashback detection and removal tools (a list of free utilities is here).

The Flashback Trojan created a zombie army of remote-controllable 650,000 Apple Macs, or more, by exploiting a Java security vulnerability that Apple only patched last week, six weeks after a patch for Windows machines became available.

The Flashback Trojan has declined over recent days from a peak of around 670,000 machines to around 270,000 bots (Symantec’s latest estimate) or lower. Despite the decline the zombie network remains an undead menace. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/13/apple_releases_flashback_removal_tool/

An alleged member of Anonymous has been tracked down after he posted a picture of his scantily clad girlfriend in an image bragging about his hacking exploits.

Higinio O. Ochoa III from Texas has been charged hacking into the websites of at least four US law enforcement agencies before, in one case at least, posting personal information including home addresses and phone numbers related to dozens of police officers.

Ochoa, is an alleged member of CabinCr3w, an offshoot of the hacktivist collective Anonymous. A criminal complaint filed in connection with the case reveals that pictures of a amply proportioned young woman taken in an outer-Melbourne suburb played a key role in the case, Australian paper The Age reports.

The image was taken with an iPhone and posted at an online location below a law enforcement data dump. The URL was publicised via updates to a Twitter account, @AnonW0rmer, allegedly maintained by Ochoa.

The photo, cropped from the neck down, featured the bikini-clad babe holding a sign saying “PwNd by w0rmer CabinCr3w 3 u BiTch’s”. Whoever uploaded the photo, which was taken via an iPhone, failed to purge its metadata which revealed the GPS co-ordinates in an outer-Melbourne suburb where the photo was taken. “EXiF data from this picture shows that it taken with an iPhone 4 and edited with Photoshop,” the complaint states.

This GPS location allowed local police to easily track down the presumed residence of the woman pictured in the photo, believed to be Ochoa’s Australian girlfriend, and others like it in a similar vein promoting Anonymous. One of these featured a picture of the same woman alongside a sign stating “Come me bro! @AnonwOrmer #Cabincr3w”.

FBI investigators found two references to the pseudonym ”w0rmer” on other internet locations, one of which featured Ochoa’s name. Ochoa’s Facebook page revealed he was dating an Australian woman, adding another important piece to the jigsaw puzzle of carelessly left information that allowed police to first monitor and then arrest Ochoa, a computer programmer by trade, last month.

Ochoa faces charges related to hacks against the West Virginia Chiefs of Police website and the Alabama Department of Public Safety database, the Mobile Police Department servers, the Texas Department of Safety and the Houston County’s database in a spate of attacks in early February.

“A review of log files from the Texas DPS website revealed that it had been compromised on February 8 … utilising a SQL injection vulnerability that allowed the attacker to gain unauthorized access to server resources including tables on a database utilized by the webserver. This access allowed the attacker to create and drop database tables as well as download data, all functions that were not intended,” the criminal complaint alleges.

The hack was carried out using an internet connection assigned to a house close to Ochoa’s residence in Galveston, Texas. Investigators reckon Ochoa’s used an insecure internet connection to carry out the attack.

Ochoa was scheduled to appear in a criminal court in Austin, Texas over the alleged hacking attack on Tuesday, 10 April. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/13/fbi_track_anon_from_iphone_photo/

Australia’s Defence Signals Directorate, an agency charged with collecting signals intelligence and educating the rest of the government about security, has green-lit Apple’s iOS for use in “classified Australian government communications”.

The decision doesn’t mean spooks can nip out to a phone shop and start chattering away on the iDevice of their dreams. Instead they’ll need to adhere to a ‘Hardening Guide’ [PDF] that insists on iOS 5.1 or later and also offers lots of rules to make sure Apple’s devices are used safely.

Those rules include a provision that passwords must include alphanumeric characters and that users should be forced to change passwords every 90 days. Devices should be auto-wiped after five failed log-on attempts. A SIM PIN is recommended and and encrypted backups are a must.

Disabling installation of apps is recommended for workers who access “Protected” information. Three grades of security higher than Protected – Confidential, Secret and Top Secret – aren’t considered suitable for access with an iDevice.

WiFi access is allowed, but only with “WPA2 Authentication with EAP-TLS and a pre-shared key as minimum,” but with a preference for RADIUS or 802.1x. “Ask to join networks” should be turned off, to prevent iDevices connecting to unknown WiFi.

The guide mentions jailbroken devices and unsurprisingly says “Administrators should not allow employee owned jailbroken iOS devices to be provisioned on the corporate network.”

Interestingly, the guide also includes sample scripts for the iPhone Configuration Utility, an Apple product the Directorate recommends as suitable for managing fleets of iDevices in Australian government agencies. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/13/ios_secure_for_australian_classified_comms/

ICANN has revealed that it took down its top-level domain application system yesterday after discovering a potentially serious data leakage vulnerability.

As El Reg reported earlier today, ICANN shut down its TLD Application System (TAS) – the web application companies use to apply for new gTLDs – due to unspecified “unusual behaviour”.

The organisation has now revealed that while there was no “attack” as such, it had found that some TAS users could access data belonging to other TAS users.

“We have learned of a possible glitch in the TLD application system software that has allowed a limited number of users to view some other users’ file names and user names in certain scenarios,” COO Akram Atallah said in a statement.

“Out of an abundance of caution, we took the system offline to protect applicant data,” he added. “We are examining how this issue occurred and considering appropriate steps forward.”

The vulnerability has potentially serious implications due to the level of secrecy surrounding the majority of new gTLD applications.

Companies in general don’t want to reveal which gTLDs they are applying for while the ICANN application window is still open. If it were revealed that Coca-Cola had applied for .drink, for example, that might prompt Pepsi to file a competing application.

Because ICANN’s method of last resort for resolving these so-called “contention sets” is an auction, a prematurely revealed application could therefore wind up costing hundreds of thousands of dollars – even millions of dollars – more.

It’s quite possible that gTLD strings may have been included in the leaked user names and file names, though ICANN has yet to confirm the extent of this problem.

It’s also not yet known which applicants had access to which other applicants’ data, and whether any of the leaked information was acted upon.

The new gTLD application window was due to close yesterday at 1159 UTC, but ICANN shut down the TAS about 12 hours before the deadline after becoming aware of the vulnerability.

The filing deadline has now been extended until next Friday, but ICANN does not plan to bring the TAS back online until Tuesday, by which time it expects to have fixed the bug. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/13/bug_security_icann_gtld_problems/

Two teenagers have been arrested after hackers attacked Scotland Yard’s anti-terror hotline, eavesdropped on a conversation between officials and uploaded a recording to the internet.

The two males, aged 16 and 17, were cuffed in the West Midlands by cops from the Police Central e-Crime Unit. A Scotland Yard spokesman said the duo were been questioned on suspicion of breaching the Malicious Communications Act and Computer Misuse Act – the UK’s main anti-hacking laws. No charges have been brought as of Friday morning, he added.

Hacktivist group TeaMp0isoN launched a phone-based denial-of-service (DOS) attack against the anti-terror hotline last weekend as part of a protest against the UK’s controversial extradition laws.

Other hacktivists launched traffic-flooding assaults against the official website of the UK prime minister, number10.gov.uk, and the UK’s Ministry of Justice at around the same time last Saturday as part of OpTrialAtHome.

TeaMp0isoN’s phone-bombing exercise flooded the anti-terror hotline with bogus calls, preventing genuine callers from getting through. The hackers reportedly used a compromised PBX system in Malaysia to launch the attack, which persisted for around two days.

“The script is based on the Asterisk software and uses a SIP protocol to phone,” a bod going by the handle of TriCk told Softpedia.

“Every time they picked up the phone the server would play a robot voice which said ‘teamp0ison’.”

Anti-terror hotline bods taunted

TriCk, a leading member of TeaMp0isoN, later phoned up the anti-terrorism hotline and made a prank call that taunted operatives about the phone-bombing exercise – then uploaded the results on YouTube. The group then exploited a “weakness” in the Scotland Yard’s phone system to record a conversation between officials discussing the phreaking incident.

“We have been subjected to a barrage of calls from a group called Team Poison,” one person on the conversation can be heard to say, The Telegraph reports. “We have had about 700 calls over the last couple of nights.”

TeaMp0isoN posted an extract of this chat on YouTube, raising questions about phone security within Scotland Yard’s counter-terrorism unit.

The Metropolitan Police attempted to assuage these concerns on Thursday by issuing a statement insisting that the integrity of the confidential anti-terror hotline remained intact. How hackers managed to record what sounds like an internal conversation between two officials within Scotland Yard remains unclear.

The cops wrote:

We have throughout the day researched the allegation that the Anti-Terrorist Hotline had been ‘hacked’ and ‘activists’ claims that they were able to listen unrestricted to confidential communications.

We are confident the MPS communication systems have not been breached and remain, as they always have been, secure.

We are satisfied that any recording would have been made via the receiving handset only and not from an attack on internal systems.

The public can remain confident in the ability to communicate in confidence and that the integrity of the Anti-Terrorist Hotline remains in place.

In an interview broadcast on Sky News, Detonate – an alleged member of TeaMp0isoN – claimed that Scotland Yard’s PBX was vulnerable.

“It was very easy, they were using an old phone system which was vulnerable to a private phreaking method that we discovered,” he said, adding the the hack was carried out in protest against UK government plans to extend snooping powers as well as against its extradition laws.

It’s not the first time law enforcement calls have been intercepted and leaked by hacktivists.

In February hackers published the recording of a conference call between the FBI and UK police in which the progress of cases against alleged cyber-criminals was discussed. Hackers listened into and recorded the call after obtaining the phone number to be used and the time of the call from a compromised email account belonging to one of the invited participants, who had set his corporate account to forward email to a personal account hackers had broken into. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/13/anti_terror_hotline_hack_arrests/

Security researchers have discovered a strain of fake anti-virus software that tries to intimidate supposed file-sharers into paying for worthless software.

SFX Fake AV, first detected by freebie antivirus scanner firm Malwarebytes, blends the features of scareware with those more associated with ransomware Trojans. The malware stops any legitimate anti-virus package from running on compromised PCs, something common to other other scareware packages. But this particular strain of malware goes further than this by stopping Process Explorer (procexp.exe) and preventing browsers from loading – tactics designed to force marks to complete the ‘input credit card details’ screen and hand over money for the scamware.

The evil app also falsely tells prospective marks that they are going to be sued for breaching SOPA legislation, claiming it has detected torrent links on PCs. It offers to get around this problem by activating an “anonymous data transfer protocol” for torrent links, another inducement aimed at persuading prospective marks into paying for the worthless security app.

This latter feature differentiates the malware from strains of scareware we’ve seen in the past, which demand money after supposedly detecting “offensive materials” on PCs, sometimes under the guise of a police fine. SFX Fake AV, by contrast, offers a supposed way to evade law enforcement attention.

Finally, the malware also performs a fake scan that classifies Windows Registry Editor as a porn tool.

Bruce Harrison, VP Research at Malwarebytes, said: “SFX Fake AV is morphing at a relatively fast rate, so it is something that signature-based vendors will have to watch out for as there will be an increasing number of variants in the wild. Also, the use of Dropbox as a delivery mechanism is a something that the industry is going to have to take into account and protect against, as it is an emerging trend.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/13/scareware_ransonware_hyrbrid/

Boeing is planning to launch an own-brand super secure Android smartphone for military, government, and high-level commercial users by the end of the year.

Roger Krone, president of Boeing Network and Space Systems, told National Defense Magazine that this is probably the first time the company had got into the cellular phone business and it had picked Android because it wanted a similar feel to consumer devices while including military-grade security for encryption for voice and data traffic.

The phone will “give them what they are used to seeing [on consumer market smartphones] and give them the functionality from the security perspective,” Krone said. “We are all living off this thing,” Krone said while holding up his smartphone. “And we’re not going back. In fact the next one I have is going to be thinner, smaller and have more capability.”

Brian Palma, vice president of the Boeing’s secure infrastructure group, said that similar secure phones at that level of the market were selling for $15,000 to $20,000 apiece. The company was aiming for a considerably cheaper price point, but this handset won’t be a mass-market device.

“We are going to drive down towards a lower price point, but . . . not mass-market price point,” he said. “We believe that there is significant interest in the defense side as well as the intelligence side and in the commercial world as well.”

The news is yet more bad news for Canadian smartphone manufacturer RIM. The US government is still a big customer for RIM. (President Obama reported addiction to his personal BlackBerry and France’s premier Nicolas Sarkozy is also keen) and that government sector is a very important part of RIM’s revenue stream. But Boeing has great government contracts as well, and could well carve a serious slice of the sector if the price is right. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/12/boeing_secure_smartphone/