STE WILLIAMS

Analysis Forensic tools against smartphones allow basic 4-digit phone passcodes to be bypassed in minutes.

However, more complex passcodes are far more difficult to defeat and might even leave some information of seized Androids or iPhones outside the range of many tools, according to computer forensics experts.

A YouTube video – which has since been pulled – that accompanied a recent article by Forbes explained how Swedish firm Micro Systemation’s XRY tool enabled law enforcement official to bypass an iPhone passcode and gain access to call records, location data, photos and other information in a matter of minutes.

The process is akin to jailbreaking and relies on exploiting vulnerabilities on the device itself, rather than entering through any backdoor. Once a device is jailbroken, the XRY utility is installed and used to brute-force a passcode.

Once a passcode is obtained it then becomes a simple matter to extract sensitive information – including call logs, messages, web browsing history and other data – from a handset. XRY dumps this data on a Windows PC and provides a user interface that allows data to be easily explored.

Current generations of Micro Systemation’s XRY tool only work on the iPhone 4 or iPad and earlier. The firm also markets tools to extract the same sort of information from android smartphone, Blackberries, Windows Mobile phones or other devices. The firm sells to law enforcement, military and government clients.

The Micro Systemation video went viral after the Forbes article prompting the firm to remove it from YouTube.

Mike Dickinson, Micro Systemation’s marketing director, explained that his clients didn’t want the capabilities of the technology to be common knowledge. While declining to talk too much about the capabilities of XRY, Dickinson was open to talk more generally about the market for mobile forensics technology, which he described as “booming”.

Micro Systemation differentiates itself by specialising in this market and employing more than 30 developers and reverse engineers to research mobile operating system vulnerabilities that its forensic tools might subsequently be able to exploit. While the same forensic tools and techniques can be applied to extract data from a Windows XP machine irrespective of manufacturer and using tools such as EnCase from Guidance Software this does not apply in the mobile smartphone arena. The same approach can be applied to forensically extract data from a Samsung or Sony machine running Vista but not a HTC and Samsung smartphone – even if they were running the same version of Android – Dickinson explains.

“There’s a broad range of different ways to embed the technology even before you consider phones from China,” Dickinson told El Reg. Dickinson estimated that its customers could expect to come into contact with 3,000 different smartphones and feature phones. Although standardisation means that phones can increasingly be grouped together and attacked in the same way an added completion is becoming more important.

“The next generation of phones store data using hundreds of different apps,” Dickinson explained. “Not all this data is stored in the cloud. Handsets retain traces of data but getting at this information requires the development of expertise,” he concluded.

Four digit passcode is the default setting on iPhones but users can set a longer 5+ digit passcode or use characters.

Simon Steggles, a director of UK-based computer forensics and data recovery firm Disklabs, said that longer passcodes for devices are far tougher to crack using existing tools, a point Dickinson also conceded in his interview with Forbes.

Disklabs uses technology from Cellebrite that offers similar capabilities to that offered by Micro Systemation’s XRY tool.

Parmjit Bilkhu, one of Disklabs’ iPhone experts, explained that Cellebrite, could get past four-digit passcodes in between five and 15 mins, but the new software on MSAB’s kit (called  .XRY and .XACT) claims to do it faster. Four-digit passcodes don’t present too great an obstacle for the latest mobile forensics tools but longer passcodes are far more of a challenge.

“In the last two months, we have had two iPhones with the advanced passcode on them,” Steggles explained. “We were able to obtain a physical read (with Cellebrite, not tested with XRY) and retrieve data (for example call logs, text messages etc). However, we were unable to verify the data as the software does not crack the complex passcode.”

“It would be possible to recover additional files if the complex passcode was known,” he added.

Smartphones are often seized by law enforcement in multiple types of cases, by no means limited to those connected with any form of computer crime. Sometimes suspects try to destroy evidence on smartphones or tablets after the fact by applying a remote wipe. however Disklabs has developed a countermeasure to this by developing a range of Faraday Bags that investigators can seal seized electronic devices in at the time arrests are made, thwarting subsequent attempt to destroy evidence as well as preserving the state of a smartphone or other device at the time it was seized. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/10/mobile_forensics/

Local authorities will be able to use a set of online products to help them fight housing tenancy, council tax and blue badge parking frauds, under new government guidelines.

The tools have been created as part of the “Fighting fraud locally” strategy. The strategy was the result of an eight-month review led by the National Fraud Authority (NFA) and is being supported by the department for Communities and Local Government and the Local Government Association.

The NFA said it worked with private and public sector partners to develop the online package of anti-fraud products and guides to support the strategy, including:

• a fraud checklist to help local authorities identify possible gaps in a council’s current fraud response;
• an online fraud resilience check to help local authorities measure their resilience to fraud and assess if they need to improve;
• a counter-fraud and corruption e-learning training course to help councils raise levels of awareness among staff and facilitate better detection rates; and
• an online ‘fraud zone’ and discussion forum containing examples of anti-fraud best practice.

The free fraud resilience assessment tool asks users to answer 29 questions, based on professional standards for counter fraud work. It assesses the extent to which their organisation is effectively protected against fraud and is designed to help authorities ensure they have adequate protection in place.

Mike Haley, the NFA’s director of public sector fraud, said: “If councils implement the recommendations and adopt the good practice set out in the strategy significant savings could be made – money which can be used to protect frontline services. We hope the free products we have helped develop will make a tangible difference in helping defeat fraudsters who target councils.”

In its recently published annual fraud indicator report, the NFA estimates that fraud costs the economy £73bn a year – £2.2bn of which affects local government.

This article was originally published at Guardian Government Computing.

Guardian Government Computing is a business division of Guardian Professional, and covers the latest news and analysis of public sector technology. For updates on public sector IT, join the Government Computing Network here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/10/councils_get_online_tools_to_fight_fraud/

Analysis The Home Office website is back online following a weekend of disruptive denial-of-service attacks by Anonymous.

The hacktivist collective also launched traffic-flooding assaults against the official website of the UK prime minister, number10.gov.uk, and the UK’s Ministry of Justice as part of a protest against the UK’s controversial extradition laws. The DDoS attacks, launched during #opTrialAtHome on Saturday night, were motivated by the UK government’s treatment of Pentagon hacker Gary McKinnon, Christopher Harold Tappin andTVShack’s Richard O’Dwyer in controversial extradition cases, the hacktivists claimed on their official Twitter feed.

“#OpTrialAtHome, because selling your citizens to foreigner is not acceptable! We are #Anonymous, We do not forget, We do not forgive. #UK,” Anon_Central tweeted.

In a statement, the Home Office confirmed the attack but downplayed its significance.

The Home Office website was the subject of on online protest last night [Saturday]. This is a public facing website and no sensitive information is held on it.

There is no indication that the site was hacked and other Home Office systems were not affected.

Further attacks against UK government sites might be expected. “#OpTrialAtHome EXPECT US…!!! Every Saturday as this is just the beginning KEEP FIRING,” UKAnonymous2012 tweeted. The account named GCHQ as a target for follow-up attacks on 14 April, this time protesting a proposed tightening of internet surveillance regulations.

Denial-of-service attacks are illegal, and participation in such attacks carries the risk of criminal prosecution, net security firm Sophos adds. One formerly favoured tool among hacktivists, the Low Orbit Ion Cannon, exposed the IP addresses of participants in packet-flooding attacks, as several accused hackers have learned to their cost.

Janis Sharp, Gary McKinnon’s mum, urged net users not to become involved in hacktivist protests, however strong their feelings might be.

“I agree with the Home Office that it was a huge online protest. On Twitter Anonymous said it was in support of Gary, Richard O’Dwyer and Chris Tappin and against extradition, and was pro [the idea of] people who were in the UK during their alleged crime being tried in the UK … I obviously agree with the sentiments,” Sharp told El Reg

“As these sorts of protests causing a system to overload can come from people from all over the World joining in, they’re difficult if not virtually impossible to stop.

“However I don’t want other people – who are possibly young and/or vulnerable – possibly getting prosecuted or even extradited, and I definitely do not want other families going through what we have been through and are still going through. It’s difficult to explain just how hard it’s been over these past 10 years and everyone should realise the possible consequences they and their families could be facing.”

The availability of accessible attack tools is enabling anyone with an internet connection to carry out DDoS attacks, DDoS mitigation specialists Arbor Networks warns. The security tools firm says that the perception that organisations are powerless to defend themselves against a concerted denial-of-service attack is actually quite wide of the mark. “Best practice dictates organisations have both on-premise protection as well as cloud-based protection from a service provider,” it advises. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/10/ukgov_hacktivist_ddos/

Google only partially responded to French data protection regulator CNIL late last Thursday about the company’s controversial privacy policy tweak in March.

The world’s largest ad broker asked for more time to answer the 69 questions put to it by the watchdog, which had been tasked with investigating the company’s actions by the EU’s independent advisory group the Article 29 Working Party.

However, Google said it was unable to respond in time. Instead the search giant submitted answers to just 24 of those questions on 5 April.

It is expected to complete answers to the remaining 45 questions within the next few days.

In a letter accompanying those 24 responses, Google’s global privacy counsel Peter Fleischer defended his firm’s decision to ignore requests from data protection authorities in Europe who had asked the Chocolate Factory to halt its terms of service changes.

“The use of a primary privacy policy that covers many products and enables the sharing of data between them is an industry standard approach adopted by companies such as Microsoft, Facebook, Yahoo! and Apple,” Fleischer countered.

He claimed that Google had “reached out” to 18 DPAs in Europe ahead of the company going public with its plans to tweak its privacy policy.

Fleischer described that move as being “on the whole… a constructive process.” The Google lawyer added that none of those DPAs asked the company to “pause” the launch of Mountain View’s rejigged terms of service immediately after those “pre-briefings”.

In the same missive, Fleischer claimed to have been unhappy with the actions of some watchdogs who hadn’t met up with him prior to Google announcing its privacy policy tweak.

“We find it disappointing that some regulators publicly express doubts of lawfulness without having accorded us any chance to engage on the issues of concern,” he said.

Fleischer also fired a few questions back at CNIL, asking – among other things – what the “legal basis” was for the Article 29 Working Party to “act as a regulatory body”.

The Google privacy lawyer urged members of the Working Party, which is vice-chaired by the UK’s information commissioner Christopher Graham, to “in the spirit of fairness… be heard at a plenary session”.

Meanwhile, Google struggled to provide full answers to many of the 24 questions it did respond to last week.

For example, the company was unwilling to say exactly how many users of its services and products had moaned about the privacy policy changes, instead preferring to say that “complaints from our users appear to have been minimal.”

Likewise, Google was unable to cough up the “metric” detailing the number of unique visitors to the firm’s privacy policy website, which was heavily trialed on many Google properties in the run-up to the changes that were implemented on 1 March.

Separately, Google offered The Register this statement about its beef with European DPAs:

“Our new Privacy Policy is an important part of our layered approach to providing users with clear and comprehensive information about how we use data, and it is supplemented by additional privacy information to our users in places where they expect to find it,” a Mountain View spokesman said.

“We are confident that our privacy notices respect the requirements of European data protection laws.”

Dutch data protection chief Jacob Kohnstamm didn’t take kindly to Fleischer’s comments regarding some DPAs failing to meet for pre-briefings on Google’s terms of service changes.

He told Reuters that it was not up to him to get together for “a cup of tea and a chat” regarding such matters. “I am not going to give advice to Google and do so on taxpayers’ money,” he thundered. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/10/google_partially_responds_to_cnil/

The FBI is seeing increasing hacks on electricity smart meters, with most attacks designed to let consumers get power without paying for it.

Krebs on Security claims to have an FBI intelligence bulletin that outlines the agency’s growing concern at smart meter hacks – and which along the way highlights the cavalier attitude smart meter designers have to security.

The FBI bulletin, Brian Krebs says, enumerates a variety of approaches to getting free power out of smart meters: at the sophisticated end, the attacker has build a DIY optical interface to connect to the device and modify its software. At the “who could be so stupid” end of the hacks, the Feds say some smart meters can be fooled into recording the wrong power usage by placing a magnet on top.

“This method is being used by some customers to disable the meter at night when air-conditioning units are operational. The magnets are removed during working hours when the customer is not home, and the meter might be inspected by a technician from the power company,” the bulletin states.

Krebs says the alert he has obtained was issued by the FBI after it investigated incidents of power theft in Puerto Rico assessed as worth as much as $US400 million annually. While it was the first time the Feds got involved in the issue, the bulletin notes that “The FBI assesses with medium confidence that as Smart Grid use continues to spread … this type of fraud will also spread because of the ease of intrusion and the economic benefit to both the hacker and the electric customer”.

Smart meter security has been the topic both of legitimate concerns, at the same time feeding into a growing anti-smart-meter movement in many countries. Earlier this year, German researchers demonstrated serious privacy flaws in a smart meter scheme that allowed attackers to intercept meter data and determine householders’ TV viewing habits and whether or not they were home.

As far back as 2010, researchers in the UK were warning that smart meter security was so poor it offered attackers a remote “kill switch” they could use against electricity consumers. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/09/fbi_on_smart_meter_security/

A Chinese military contractor has strongly denied recent allegations that it was hacked by the Anonymous-affiliated ‘Hardcore Charlie’, but the hacktivist has responded by leaking more documents including US military data which he claims the firm has shared with Vietnam, Ukraine and Russia.

Beijing based China National Import Export Corp (CEIEC), which sells a range of military kit including electronic warfare, radar and logistics gear, said in a terse statement on Friday that “the information reported is totally groundless, highly subjective and defamatory”.

It added the following:

In the past 32 years, CEIEC, strictly abiding by the law of China, complying with international principles and customs and sticking to honest operation, has won the respect and honour from people of all fields, including the media.

At the present, illegal attack has become a big threat to the internet security, and the collusion of hacking and defamation challenges the social morality and law. While it is believed that the media and netizen with strong sense of social responsibility are able to distinguish between right and wrong, so the internet justice and security could be maintained.

CEIEC reserves the right to take legal action against the relevant responsible individuals and institutions.

The firm’s beef is with a hacktivist who goes by the name of Hardcore Charlie on Twitter and who last week claimed to have hacked the military contractor, posting data dumps to Photbucket and Pastebin which he said revealed CEIEC had gotten hold of sensitive US army data.

He then claimed the Chinese firm had leaked the sensitive data – some of which appears to relate to the US army’s operations in Afghanistan – to malicious third parties including the Taliban.

Doubts were raised about the authenticity of the files however as the hacktivist is associated with a hacker known on Twitter as YamaTough, who has previously falsified certain documents which he claimed were hacked from the Indian military.

Undeterred, ‘Hardcore Charile’ has taken to Twitter once more to refute CEIEC’s statement and post links to another set of data he claims to have snarfed from the contractor.

“When it comes to US screwed up CN will never admit to any leaks just like US admits no MIL exposure Expect more,” he wrote in a post on Saturday.

The hacktivist is also claiming the documents have been shared with terrorists in the Ukraine and Russian as well as third parties in Syria and Vietnam. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/10/ceiec_hits_back_at_hardcore_charlie/

Twitter has filed a legal suit against five entities for selling tools that send out spam tweets and clog up its network.

The suit names TweetAttacks, TweetAdder, and TweetBuddy, plus James Lucero of Justinlover.info and Garland Harris of Troption.com as its targets. In the legal filing, Twitter says that it has had to pour resources into its Trust and Safety team to try and stop spam, and has spent nearly a million dollars to counter the effects of the five defendants.

“With this suit, we’re going straight to the source. By shutting down tool providers, we will prevent other spammers from having these services at their disposal. Further, we hope the suit acts as a deterrent to other spammers, demonstrating the strength of our commitment to keep them off Twitter,” the company said on its blog.

The filing points out that all of the accused have signed up for a Twitter account, which involves signing the terms of service that specifically prohibit spam generation, as well as selling software that also breaks Twitter’s terms. Furthermore, they market their code specifically as being able to circumvent existing spam controls.

As for the goal of the suit, Twitter wants the defendants to be shut down and claims damages equal to the amount it estimates they have cost the company. That works out at $300,000 for TweetBuddy , $150,000 for TweetAttacks, a $100,000 bill for James Lucero, and for TweetAdder and Garland Harris, $75,000 apiece.

Twitter made clear that it wasn’t just relying on the legal system in its anti-spam campaign, but is beefing up security-engineering efforts as well. Just how successful it is will depend upon the ability of spammers to react technologically, and whether or not they are worried about their legal position. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/06/twitter_suit_spammers/

A hacker affiliated to hacktivist group Anonymous and dubbed Hardcore Charlie claims to have broken into the IT systems of a Chinese military contractor and exposed documents related to the US war effort in Afghanistan.

The hacker first announced the news on Monday via this tweet: “CHINA military contractor CEIEC owneed like hell ! US military escort charts exposed to Taliban.”

The accompanying post to Pastebin contains links to supposedly sensitive documents uploaded to Photobucket and a large data dump of other files, along with the following message:

Today us prezenta recently owneed chino military kontraktor CEIEC. Us be shoked porque their shiiit was packed with goodiez cummin from a USA Military brigadezz in Afghanistan, them lulz hablando mucho puneta about sam slit eyed dudz in Vietnam and Philiez doing bizness in Ukraine and Russia selling goodiez to Taliban terrorists.

In an email conversation with Reuters, Charlie reportedly described himself as a 40-year-old Hispanic man who lives near the US. He was a friend of LulzSec informant Sabu and managed to hack the CEIC, or China National Import Export Corp, by cracking key email passwords.

The newswire raised doubts about the authenticity of the documents, however, given that Charlie is also associated with a hacker known on Twitter as YamaTough.

YamaTough is also known as a spokesperson for Indian hacking group Lords of Dharmaraja, which exposed the source code of Symantec software as well as Indian military documents which turned out to be partly falsified.

The claimed hack of CEIEC – which sells electronic warfare, radar and logistics technology amongst other things – comes in the same week that Anonymous finally turned its attention to China.

The group claimed to have hacked and defaced over 480 regional government and business sites as part of a new campaign designed to encourage hackers in the country to rise up against the Communist Party.

Ironically enough, Chinese hacktivists are much more likely to use their skills against the West with, it has long been suspected, the help or blessing of the authorities. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/06/hardcore_charlie_china_hack/

The Chinese authorities are blaming the world wide web and multinational delivery companies for a rise in gun smuggling into the People’s Republic.

A China Daily report claimed that criminal gangs are increasingly turning to the web to trade illegal weapons and then using express delivery networks to ship them into the country because they stand less chance of detection this way than if carrying them through land border checkpoints.

Police smashed 69 gun-smuggling rings and 20 criminal gangs last year, and thanks to a three month web crackdown begun in August, 2,000 guns and 32,000 bullets were confiscated, the report continued.

The firearms came from Asia, the US and Europe, and multinational delivery firms were urged to regulate their services more carefully to comply with local laws.

Qian Xiongfe, a senior officer from the Ministry of Public Security, told the paper that police would focus even greater scrutiny on suspected web sites, online forums and blogs going forward, as well as delivery companies.

Given that the China Daily is a state-run newspaper, as all of the media outlets are in China, this article could probably be viewed as a nice bit of PR for the shadowy ministry, and yet another means of justifying the state’s tough web monitoring laws.

While China continues to grow economically and has done much to engage internationally on the political and diplomatic front, the country is widely seen to have taken a turn for the worse when it comes to online freedoms under the presidency of Hu Jintao.

Aside from the shuttering of thousands of web sites deemed fraudulent, pornographic or harmful to society in some other way, the authorities have now turned their attention to micro-blogs, which they view with suspicion as a potentially disruptive force.

Most recently, web companies Sina and Tencent were punished and ordered to clean up their Twitter-like platforms after a crackdown on unfounded rumours of a political coup at the apex of the Communist Party which spread online last month. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/06/china_gun_smuggling_web/

Sky News, which is partially owned by Rupert Murdoch’s News International, has admitted that it twice authorized journalists to hack the email accounts of people it was researching for stories.

The first case took place in 2008 and involved the case of John Darwin, who was dubbed “Canoe Man” by the British press after he disappeared in one during a jaunt on the North Sea in 2002. Darwin faked his death so that his wife Anne could collect the life insurance money, and stayed hidden for five years before turning himself in to police in London, claiming he was suffering from amnesia.

Darwin’s story soon fell apart under examination – not least when the press uncovered a photograph, published online, of him and his wife with a Panamanian real estate agent. A Sky News reporter asked for and was approved to hack into a Yahoo! email account thought to be used by the Darwins, and uncovered evidence that his wife was in on the scam, which was handed over to the police and used in the trial of Anne Darwin.

“We stand by these actions as editorially justified,” said Sky News in a statement. “As the Crown Prosecution Service itself acknowledges, there are rare occasions where it is justified for a journalist to commit an offence in the public interest.”

According to The Guardian, the second case of hacking took place when Sky News was investigating a man and woman under suspicion of pedophilia. In that case no story was published, presumably because no evidence could be found, but the Sky News statement makes no mention of this.

Both cases are fairly obvious breaches of the Computer Misuse Act, but journalists do have a get-out clause in that crimes can be committed if they are later found to be in the public interest. In practice, most news outlets interpret this to mean anything that the public is interested in, and the courts seldom disagree.

However, the news comes at an awkward time, considering the widespread phone hacking that has been exposed in other titles in the Murdoch stable. Sky News defended its actions and said a full review had taken place.

“We do not tolerate wrong-doing. That’s why we commissioned, at our own initiative, reviews of payments and email records at Sky News,” a company spokesman said. “I’m pleased to say those reviews did not reveal any illegal or unethical behavior.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/05/sky_news_hacking_darwin/