STE WILLIAMS

The European Parliament’s Civil Liberties Committee overwhelmingly voted to approve proposals to criminalise certain activity relating to cyber attacks last week. The proposals contain plans to make specified “legal persons” within companies liable for certain offences.

“Legal persons would be liable for offences committed for their benefit (e.g. a company would be liable for hiring a hacker to get access to a competitor’s database), whether deliberately or through a lack of supervision,” the European Parliament said in a statement. “They would also face penalties such as exclusion for entitlement to public benefits or judicial winding-up.”

EU member countries will be required to “ensure that their networks of national contact points are available round the clock” and that they can “respond to urgent requests within a maximum of eight hours” in order to prevent cyber-attacks spreading across borders.

The Committee’s proposals would make it a criminal offence to conduct cyber attacks on computer systems. Individuals would face at least two years in jail if served with the maximum penalty for the offence.

A maximum penalty of at least five years in jail could apply if “aggravating circumstances” or “considerable damage … financial costs or loss of financial data” occurred, the Parliament said in a statement.

One aggravating circumstance in which the heavier penalty could be levied is if an individual uses ‘botnet’ tools “specifically designed for large-scale attacks”. Considerable damage may be said to have occurred through the disruption of system services, according to plans disclosed by the Parliament.

Individuals found in possession of or distributing hacking software and tools also face criminal charges under the Committee’s proposals.

“Illegal access, interference or interception of data should be treated as a criminal offence,” the MEPs said, according to the Parliament.

Using another person’s “electronic identity” in order to commit an attack that causes “prejudice to the rightful identity owner” could result in offenders serving a minimum of three years in jail if they are under the maximum penalties that could be imposed.

“Tougher penalties” would be imposed on criminal organisations. Those harsher penalties will also be imposed for attacks on “critical infrastructure such as the IT systems of power plants or transport networks,” the Parliament said. If damage caused by attacks is “insignificant” then no criminal sanctions “should” apply.

Criminal offences will also apply for the sale or production of tools that are used to commit cyber-attack crimes, it said.

“We are dealing here with serious criminal attacks, some of which are even conducted by criminal organisations,” Monika Hohlmeier MEP said. “The financial damage caused for companies, private users and the public side amounts to several billions each year. No car manufacturer may send a car without a seatbelt into the streets. And if this happens, the company will be held liable for any damage. These rules must also apply in the virtual world,” she said.

The Committee’s rapporteur hopes to form agreement on a new EU Directive by the summer. Both the European Parliament and Council of Ministers would have to back the proposals for this to happen.

In the UK individuals can face up to 10 years in jail for serious offences under the Computer Misuse Act.

Under the Act it is an offence for a person to knowingly cause “a computer to perform any function with intent to secure access to any program or data held in any computer, or to enable any such access to be secured” without authorisation.

Under the Act a person is also guilty of an offence if the unlawful computer access is used to commit, or facilitate, some other offences regardless of whether that subsequent offence is to take place in the future or is indeed possible to commit. A person is also guilty of an offence if they commit any unauthorised act with intent to impair the operation of any computer, prevent or hinder access to any program or data held in any computer, impair the operation of any such program or the reliability of any such data, or enabling those acts to be done.

Making, adapting, supplying or offering to supply any electronic program or data intending it, or knowingly it is likely, to be used or to assist in the commission of unlawful computer access or impairment is also an offence. Supplying electronic programs or data “with a view to its being supplied for use to commit, or to assist in the commission” of unlawful computer access or impairment is also an offence under the Act.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/03/businesses_could_be_liable_for_criminal_offences_under_proposed_cyber_attack_laws/

Check Point has downplayed the significance of a domain renewal mix-up that resulted in its home page being replaced by a holding page for a brief period on Monday.

The problem arose because Network Solutions sent the security firm’s domain renewal notice to the wrong email address, a statement by the firewall and VPN firm explained.

Earlier today there was an issue accessing www.checkpoint.com – the site was being re-directed to another page (a Network Solutions page).  The problem was that the Checkpoint.com domain registration expired.  This happened due to Network Solutions, our domain host, sending our renewal notification to an incorrect email address at Check Point.

There was no security issue whatsoever.

The domain record was wrong and redirected for approximately 23 minutes. During that time DNS servers around the world were updated with the wrong record. We corrected the issue at 15:30 IL time (13:30 UK) on Monday April 2nd.

The update is currently being propagated to all DNS servers in the world. This process takes time, depending on the setting of the DNS servers. Some servers are already updated, while others will be in their next refresh in the next few hours.

Check Point’s domain was due to be renewed on Friday, 30 March. The late renewal may have affected the delivery of email to the security giant as well as the ability of surfers to reach its home page, independent security experts point out.

“When a company loses control of a domain name, however it happens, they also lose control of email for that domain,” explained Owen O’Connor, managing director of Northern Ireland-based network forensics firm Cernam Online Evidence. “In this case Checkpoint’s site was down for a few hours / days but mail to checkpoint.com was also affected – potentially bouncing or worse, delivering to someone other than Checkpoint.”

“This is potentially a big deal with some of the domain seizures and takedowns which are happening so often recently. When a government seizes a domain they’re typically redirecting to a holding page – eg, in the gambling takedowns or the TV piracy ones. In getting the access to change that DNS entry they can typically also redirect mail – potentially without specific permission from whatever court authorised the takedown,” O’Connor added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/03/check_point_domain_renewal_snafu/

Australia’s government has created a website which detects the presence, or otherwise, of DNSChanger, a nasty piece of malware which the sites says “… changes a user’s Domain Name System (DNS) settings, enabling criminals to direct unsuspecting internet users to fraudulent websites and otherwise interfere with their web browsing.”

“It has been associated with ‘click fraud’, the installation of additional malware and other malicious activities,” the site adds.

The hiply-named www.dns-ok.gov.au does what it says on the can: load up the site and you’ll be told whether or not the malware lurks within your system and if, ergo, your DNS is okay. If you are infected, the site urges you to do something about it before the FBI switches off its kludge fix that stops the malware from doing it’s worst. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/03/dns_ok_gov_au/

Parents in Northern Ireland were shocked when a priest’s PowerPoint presentation in preparation for their children’s First Holy Communion displayed gay pornography.

Father Martin McVeigh, the local Catholic priest, was giving the presentation to parents (and one child) at St Mary’s School in Pomeroy when he inserted a USB stick into his computer. Images of men in various states of undress were then displayed via the school projector (16 in all, suggesting that someone wasn’t too shocked to count) before McVeigh realized what was wrong.

“He was visibly shaken and flustered,” parents told the BBC. “He gave no explanation or apology to the group and bolted out of the room. The co-ordinator and the teachers then continued with the presentation. Twenty minutes later he returned, he continued with the meeting and wrapped up by saying that the children get lots of money for their Holy Communion and should consider giving some of it to the church.”

First Holy Communion is an important event for Catholics, during which children first partake in the ritual of transubstantiation, in which the church’s collection of wafers and wine is transformed into the actual body and blood of Jesus Christ – at which point communicants eat the body bits, but not always have the opportunity to imbibe the fermented, grape-based blood.

Certainly there’s nothing in the Catholic ceremony requiring the introduction of gay pornography, and it could be argued that McVeigh had inadvertently launched a presentation centered on the sin of Onan, who spilled his seed rather than obeying the law and impregnating his sister-in-law. (God was not amused.)

“Inappropriate imagery was inadvertently shown by a priest at the beginning of a PowerPoint presentation, causing concern to those present,” said Cardinal Brady, the head of the Catholic Church in Ireland, in a statement. “The priest has stated that he had no knowledge of the offending imagery. The archdiocese immediately sought the advice of the PSNI who indicated that, on the basis of the evidence available, no crime had been committed. The priest is co-operating with an investigation of the matter on the part of the archdiocese.”

Before people rush to judge Father McVeigh, however, it’s not clear if the offending images were manually stored on the USB stick and appeared due to AutoRun, or if this was a pop-up window caused by malware. The latter is still very common, usually picked up at websites unrelated to those subjects it advertises, and often over-reacted to, as the tragic case of former US teacher Julie Amero demonstrates.

In 2004 Ms. Amero was a school teacher in Connecticut giving a presentation to ten of her pupils when pop-up windows began displaying porn on her computer. She was suspended and then convicted three years later on four counts of risk of injury to a minor – charges that could carry up to 40 years in prison.

Luckily for Ms. Amero, some members of the computer-security industry decided to take up her case, and found that the school-issued PC was a Windows 98 SE machine with IE 5 and an expired antivirus subscription, and she had picked up porn-producing malware from visiting a website discussing hairstyles.

The judge ordered a retrial and Ms. Amero escaped with a $100 fine. She still lost her teaching license, however. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/02/priest_powerpoint_pr0n/

Pastebin.com has promised to police content on its site more tightly by hiring staff to delete data dumps and other sensitive information more quickly.

The site, one of several of its type and originally set up primarily for programmers, has become a favourite dumping ground for hacktivists from Anonymous and LulzSec over recent months. Many of these posts have revealed an array of personal information swiped from the insecure systems of targets including home addresses, email passwords and (more rarely) credit card details. The dumps are then linked to and publicised by Twitter updates from the various hacktivists.

Pastebin.com relied on an abuse report system to flag up potentially controversial material. However Jeroen Vader, the 28-year-old Dutch entrepreneur who bought the site two years ago, told the BBC that the present system isn’t responsive enough and that Pastebin.com plans to hire staff to actively scour the site so that “sensitive information” might be removed more quickly. PasteBin currently gets 1,200 abuse reports a day via either its on-site notification system or by email.

“I am looking to hire some extra people soon to monitor more of the website content, not just the items reported,” Vader told the BBC in an email interview. “Hopefully this will increase the speed in which we can remove sensitive information.”

Vader said Pastebin.com, which makes its income from selling banner ads, attracts an average of 17 million unique visitors a month, up from 500,000 two year ago. Trending topics on the site frequently include data dumps from hacktivists involved in AntiSec movement, an offshoot of Anonymous which aims to expose the security shortcomings of computer security firms, police agencies and other high profile organisations. Recent data dumps have included the purported details extracted from a high-profile hack on intelligence agency Stratfor last December and from a data dump of passwords from the YouPorn sex vid channel, among others. Other data dumps of local organisations have led to the blocking of Pastebin in both Pakistan and Turkey.

Pastebin asks its members to avoid posting password lists, stolen source code or personal information. As well as being the go-to place for data dumps, Pastebin.com is also often used by hacktivists to try out the effectiveness of DDoS tools.

“In the last three months not a single day has gone by that we didn’t get some kind of DDoS [distributed denial of service] attack,” Vader said. “I do hear from people in the hackers’ community that many hackers like to test their DDOS skills on Pastebin.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/02/pastebin_content_policing/

Security watchers have discovered a strain of Mac-specific malware that exploits an unpatched vulnerability in Java.

A variant of the Flashback Trojan exploiting CVE-2012-0507 (a Java vulnerability) has been spotted in the wild, F-Secure warns.

Oracle patched the vulnerability for Windows machines in February but is yet to issue a fix for Mac OS X – creating a window of opportunity for virus writers.

F-Secure advises users to disable Java, which isn’t needed to surf the vast majority of websites, on their Mac, as explained in an earlier blog post here.

Some banking websites mandate the use of Java, in which case security-conscious Mac fanbois can re-enable Java for the duration of their session before turning it off again, the Finnish security firm suggests. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/02/flashback_mac_malware/

A string of booby-trapped Microsoft Office files that plant malware in Apple Macs via rarely abused vulnerabilities have been detected in the wild.

The malicious documents were uncovered in a run of spam messages sent by pro-Chinese hackers to Tibetan activists, security tools biz AlienVault reports. It said the assault was much more sophisticated than the previous malware-based attacks against pro-Tibet sympathisers that it has tracked over recent weeks.

The vector used by the so-called MacControl Trojan in the latest phase of the attack is highly unusual, according to AlienVault.

“This is one of the few times we have ever seen a malicious Office file used to deliver malware on to the Apple Mac platform and which exploits a remote code execution vulnerability that exists in the way that Microsoft Word handles a specially crafted file that includes a malformed record.”

The targeted attack relies upon a critical security vulnerability discovered in Microsoft Word back in 2009, Sophos adds. Mac users, even those logged in as non-administrators, who open the booby-trapped file – which poses as a letter about about human rights abuses by China in Tibet – end up loading a Trojan that gives backdoor access to their compromised machine.

China has previously been accused of using the internet to spy on pro-Tibet organisations on several occasions, including one instance when it was blamed for a cyber-espionage attack on the Tibetan government-in-exile and on the private office of the Dalai Lama in the so-called GhostNet operation.

Tibetan activists are on a long hit list uncovered by Trend Micro and dubbed the Luckycat campaign; it uses spear-phishing to inject Windows malware, and targets military and other sensitive entities in India and Japan as well as Tibetan activists.

Luckycat, which has been active since June 2011, has been linked by Trend to 90 attacks in India and Japan against aerospace, energy, shipping, military research and activists. Luckycat uses targeted emails that are contextually relevant and are attached with a malicious document. Many of the attacks share the same infrastructure, which is hosted in China. Circumstantial evidence links at least some of the hacks to Xfocus, a hacker forum in China, Trend Micro reports.

Trend’s research builds on earlier probing by Symantec into the same set of attacks. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/02/mac_malware_apt_luckycat/

Druva’s inSynch product has been revved to add tablets and smartphones to its existing laptop data protection scheme and bring them all into a uniform enterprise data protection and security scheme.

Both Android and IOS tablets and smartphones are supported with a single user profile covering a user’s bring your own device (BYOD) gear. Their contents can be backed up to a data centre or to the cloud or a combination of the two. in both deployment modes, Druva provides WAN optimisation, data analytics and search.

The user can see and access the contents of all their devices on all their devices and from anywhere on the web. The product provides file versions through “restore points”, which are point-in-time snapshots of all backed up data. Each restore point can be browsed and searched like regular folders.

The inSynch product also provides data loss prevention with the ability to wipe data on stolen or lost laptops. Data can be encrypted and geo-located, and alerts notify the inSync administrator of unauthorised access and, it’s claimed, “virtually eliminate the risks of unauthorised access to the data.”

Dtuva’s inSync scales up to 100,000 devices in an on-premises configuration, with management from a single console. A HyperCache feature preserves storage capacity through in-memory and global source-based data deduplication. Support for solid state drives (SSDs) increases system performance. Druva also provides service-level agreements (SLAs) for durability and reliability.

Jaspreet Singh, CEO of Druva, sang the praises of the latest inSynch product:

“Today, many enterprises cannot track how many mobile devices a staffer uses on the job, much less protect that user’s data. That’s why we introduced a ‘manage the user’ model that has put user-device management and security in the hands of IT. Today’s ‘manage the device’ model has become obsolete.”

Druva inSync licensing is based on a per-user model allowing any number of devices per user. Pricing for the inSync cloud product is $6/user/month, and the on-premises version is $4/user/month. The product will be available in April 2012. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/02/druva_byod/

The Coalition’s plans to hugely step up surveillance of the internet aren’t new – indeed they date from well before the Coalition – but readers could be forgiven for thinking it’s all brand new this morning after a quick look at the national newspapers today.

David Cameron’s government first published its intentions to snoop on the net back in November 2010, about six months after his Tory party formed a coalition with the Lib Dems, but in fact these plans represented no more than a rebranding of New Labour’s “Interception Modernisation Programme”.

The Home Office said at the time of the relaunch that it hoped to implement “key proposals… for the storage and acquisition of internet and e-mail records” by June 2015. UK.gov further noted that legislation could be brought in “if necessary”.

Then last July, Home Secretary Theresa May signalled more clearly that the previous Labour government’s shelved £2bn Interception Modernisation Programme (IMP) was definitely coming back to life.

At that point May outlined a new, or at least newly named, counter-terrorism strategy – dubbed CONTEST – and added that it would include a resurrected IMP.

The CONTEST document released by the Home Office made it clear that legislation would “be brought forward” to address what it described as a “technology challenge”. That challenge relates to how terrorists use the internet.

IMP was supposed to be stood up at spook headquarters GCHQ in Cheltenham, to help security services monitor difficult-to-tap tech such as peer-to-peer communications.

The proposed government-snooping plan was stalled until after the 2010 General Election, however, following criticism from civil liberties groups in the UK.

Labour of course lost that election, but the idea of IMP never went away. It was instead effectively rebranded by May’s department as the “Communications Capabilities Development Programme [CCDP]”, which was squarely aimed at tackling perceived threats from rapidly-evolving encryption and other technologies which have increasingly made it difficult even for government agencies to intercept voice and text mobile communications.

The Sunday Telegraph ran a story about CCDP in February, which appeared to us to show that the broadsheet was simply catching up on old news. Now The Sunday Times has added to that coverage by running a story yesterday that was leaked to the Murdoch paper from a “senior civil servant” at the Home Office.

It would appear that the story is being managed: the government is looking to make sure that CCDP is an old news story well ahead of the Queen’s Speech to Parliament on 9 May. Sundays – especially Sunday April the 1st – are good days to have potentially unpopular news reach the population at large.

The only nugget of information that a Home Office spokesman was willing to toss to The Register last month was to confirm that CCDP would be in the Queen’s Speech and that the government planned to “legislate on it as soon as possible.”

Last month, Tory MP David Davis – who heavily criticised Labour’s IMP proposal when in opposition – asked Home Office undersecretary James Brokenshire if his department had been in talks with the Internet Service Providers’ Association over consultation on CCDP.

“Home Office officials have met with the main industry associations representing internet service providers and communications service providers to discuss the cross-Government Communication Capabilities Development programme,” the minister said on 8 March.

“These meetings have included the Internet Service Providers’ Association whose advice has been sought on how and when to engage with all interested internet service providers, as part of the department’s ongoing engagement strategy with industry.”

As for yesterday’s Sunday Times story, we now know that under the new proposed laws spooks will not need a warrant to know who communicates with whom and when they do so – this allows large scale data-mining and analysis. Such hands-off interception can tell spooks a lot, without ever requiring them to read an email or listen to a call: one of the things it can uncover, in fact, is which among millions of conversations, messages, webpages etc etc might be worth looking at or listening to. This kind of monitoring has been a grey area until now, with some saying it’s illegal without a warrant and others – including various large commercial concerns, as well as government agencies – arguing that it isn’t unless and until individuals are specifically targeted.

Actually looking and listening to the content of communications (as opposed to just the headers and addresses) currently requires a warrant under the existing Regulation of Investigatory Powers legislation. However readers should note that even today this would typically be a secret warrant signed within the relevant ministry by the relevant minister, not one obtained from a judge: and as these ministers (who also have many other calls on their time) must already sign large numbers of interception warrants – often covering many people, phone numbers or other identifiers which realistically they must assume are listed justifiably – it’s questionable just how much supervision the spooks are under here. They certainly won’t be under more once the new kit and plans are in place.

Quite apart from legal powers, it’s expected that such an ambitious project will cost billions of pounds to implement, in part because of the large amount of kit that will need to be installed throughout the UK’s communications infrastructure to allow GCHQ to copy “on demand” any internet traffic sent in the UK in “real time”. It’s still unclear how much of the burden will be borne by private-sector entities such as ISPs – who are already required to keep extensive records – and how much by the taxpayer.

Social networks like Facebook and Twitter – being, after all, just another means of handling packets in the end – as well as online video games could all be tapped by spooks under the new plans, according to the ST report.

Such capabilities would require thousands of Deep Packet Inspection probes to be inserted throughout the country’s net infrastructure that would need to be regularly configured to keep up with the changes to how services exchange comms data. Part of the problem with IMP was that the £2bn price tag for implementing such a project over 10 years was simply too low.

Civil liberties campaigner Guy Herbert labelled the CCDP plan “an astonishing waste of money.”

He said: “It is not very far from a bug in every living room that can be turned on and turned off at official whim. Whatever you are doing online, whoever you are in contact with, you will never know when you are being watched. And nobody else will either, because none of it will need a warrant.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/02/ccdp_government_snooping_plans/

Forensic investigators have apologized for the bungling of the inquiry into the mysterious death of a codebreaker employed by the Government Communications Headquarters (GCHQ).

In August 2010, Gareth Williams, described as a mathematical genius by his peers and employed at GCHQ since leaving university, was found dead in his flat in London. Williams, who had recently qualified for deployment with MI6 – Britain’s version of the CIA – was found naked and partially decomposed in a sports bag that had been locked from the outside and placed in the bath.

In the pre-inquest hearing on Friday, the court heard that the investigation into Williams’ death had been botched from the start. LGS Forensics said that DNA found on Mr Williams’ body was investigated, but later turned out to have been transferred there from one of the forensic scientists investigating the death, and a search of the apartment turned up no clues as to his death.

“Having made further checks, LGC identified the partial profile as matching that of a Metropolitan police scientist who was involved in the original investigation of Mr Williams’ home,” a LGC spokeswoman said. “The Metropolitan police service was immediately notified. We are sorry for any pain this error may have caused Mr Williams’ family.”

Lawyer Anthony O’Toole told Westminster Coroner’s Court that the family of Mr Williams had still not been told what his actual job was, and would also like to know why MI6 took so long to raise the alarm after he failed to turn up at work. The body showed no signs of violence, toxicology screenings were negative, and there was no sign that he had tried to get out of the bag.

“The impression of the family is that the unknown third party was a member of some agency specializing in the dark arts of the secret services – or evidence has been removed post-mortem by experts in the dark arts,” he said, according to the Guardian.

While the police initially said that they thought it was unlikely that Williams had managed to lock himself in the bag, they did not rule it out. At the time of his death there was speculation that the death was part of a sex game gone wrong, and the coroner Fiona Wilcox said the likelihood of Williams being able to get in the bag and lock it would be central to the inquest, which is due to be held next month. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/31/gchq_williams_death/