STE WILLIAMS

Tick-like banking Trojan drills into Firefox, sucks out info

A new banking Trojan is spreading in the UK and the Netherlands, Symantec warns.

Neloweg operates much like its more famous cybercrime toolkit predecessor ZeuS, but with a couple of subtle twists.

“Like Zeus, Neloweg can detect which site it is on and add custom JavaScript. But while Zeus uses an included configuration file, Neloweg stores this on a malicious webserver,” Symantec analyst Fred Gutierrez explains.

The malware is designed to snatch online login credentials, primarily (but not exclusively) those for online banking sites. It infects machines by tricking Microsoft Windows users into installing it via a drive-by-download, spam or targeted email, or with the help of other malware.

Neloweg also targets browsers that utilise the Trident (Internet Explorer), Gecko (Firefox) and WebKit (Chrome/Safari) browser engines. In the case of Firefox, the Trojan buries itself, becoming an integral component of the browser on infected machines – rather than a simple extension – a development that makes the Neloweg more stealthy than previous strains of banking malware.

“In the past we have seen threats create malicious extensions,” Gutierrez writes. “All users had to do was disable that particular add-on and they would be safe.

“For Neloweg, this is not the case. Since it is a component, it does not appear as an add-on in Firefox’s add-ons Manager, like other extensions and plugins do. Furthermore, because of the way Firefox is designed, Neloweg will be recreated and reinstalled every time Firefox attempts to connect to the Internet.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/01/neloweg_banking_trojan/

Google rolls out privacy policy, snubs Euro outcry

Google has defended its decision to combine around 60 of its privacy policies into one simplified document that makes it clear that users of the company’s products and services will be more uniformly tracked by the Chocolate Factory.

The search giant debuted its revised terms of service today, after announcing in late January that it would be tweaking its data-handling policy to cross-pollinate its huge online business with a single ID verification process to more accurately target its users.

Privacy advocates, data protection officials and top lawyers have been hugely critical of the move. Google’s privacy policy overhaul even prompted the independent European advisory body on DP the Article 29 Working Group – which is vice-chaired by the UK’s Information Commissioner Christopher Graham – to task French regulator CNIL with investigating Google’s actions.

The preliminary response from CNIL, as we reported yesterday, was to confirm that Google’s changes to its privacy policy did not meet the requirements of the current European 1995 Data Protection law.

Nevertheless Google has implemented the tweaks and defended the move by saying that halting it at this stage would “confuse” the firm’s userbase.

At a seminar hosted by Microsoft-backed Brussels’ lobbyist ICOMP in London last night, Graham danced around the question of whether Google was in the wrong.

“We don’t know if Google is operating outside of EU law… I’m not going to say it isn’t lawful as it’s being investigated,” he said.

Graham had earlier noted that the company’s CEO Larry Page deserved some “credit” after Google sent out “consumer alerts” earlier this year, but further pointed out that Page had failed to answer the question on lawfulness levelled at him by CNIL.

Google’s UK policy wonk, Theo Bertram, was the one lonely Choc Factory voice at the ICOMP seminar last night. He asked the speaker, ex-US Federal Trade Commissioner Pamela Jones Harbour, to explain how Google could have better communicated the changes to its users.

Jones Harbour, who sits on the Electronic Privacy Information Center’s advisory board, declined to answer by saying she didn’t speak for Microsoft – a company to which she currently offers legal representation, although in her previous role at the FTC she fought against Redmond over antitrust behaviour relating to the browser market.

After the event, Bertram told The Register that the former commissioner’s argument against Google’s data-handling and dominance in search would have been much stronger had she provided a more “balanced view” of the current online landscape.

Jones Harbour, who is a partner at Fulbright Jaworski LLP, countered in a telephone conversation with this reporter this morning that Microsoft’s search engine Bing has just 3 per cent market share in Europe, and added that Google’s dominance in the online business deserved scrutiny not only by data protection watchdogs but also from antitrust regulators.

The lawyer cited the Article 29 Working Group’s previous discussion with Europe’s Directorate General for competition about Google’s 2007 takeover of ad company DoubleClick.

Those talks didn’t lead anywhere, however. Jones Harbour reckons that it’s now “time for competition officials to take another look”.

It’s unclear whether the European Commission might yet widen its current investigation of Google’s business practices to work out if that behaviour has been anti-competitive in the EU market by also considering how the company collects data from its users, given today’s significant terms of service tweak.

For Jones Harbour, competition and privacy in the online world needs to be much more closely knitted together by antitrust watchdogs then is currently the case.

“The traditional ways of looking at the market don’t apply here when it comes to companies such as Google,” she said.

The lawyer added that she had never seen a business behave in the way Google had by declining to halt its privacy tweaks while DPAs scrutinised the move.

She claimed that “Google is arrogantly saying ‘make me do it’ to regulators”.

Meanwhile, Google’s Alma Whitten reiterated what the privacy policy revamp meant in a blog post confirming that the company had effectively ignored CNIL’s request:

“The new policy doesn’t change any existing privacy settings or how any personal information is shared outside of Google. We aren’t collecting any new or additional information about users. We won’t be selling your personal data. And we will continue to employ industry-leading security to keep your information safe.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/01/google_privacy_policy_implemented/

Stolen NASA laptop had Space Station control codes

A NASA laptop stolen last year had not been encrypted, despite containing codes used to control and command the International Space Station, the agency’s inspector general told a US House committee.

NASA IG Paul Martin said in written testimony (PDF) to the House Committee on Science, Space and Technology that a laptop was stolen in March 2011, which “resulted in the loss of the algorithms used to command and control the ISS”.

Martin also admitted that 48 different agency laptops or mobile devices had been lost or stolen between April 2009 and April 2011 (that NASA knows of). The kit contained sensitive data including third-party intellectual property and social security numbers as well as data on NASA’s Constellation and Orion programmes.

The actual number of missing machines could be much higher, because the agency relied on staff to ‘fess up when their notebooks were lost or stolen and admit what information was on them.

“Until NASA fully implements an agency-wide data encryption solution, sensitive data on its mobile computing and portable data storage devices will remain at high risk for loss or theft,” Martin told the Subcommittee on Investigations and Oversight.

The committee pointed out that it was all very well for Washington to be debating government involvement in private sector cybersecurity issues, but the government might want to remember that its own cybersecurity has had “mixed success”.

“Many of the technologies developed and utilised by NASA are just as useful for military purposes as they are for civil space applications.  While our nation’s defense and intelligence communities guard the ‘front door’ and prevent network intrusions that could steal or corrupt sensitive information, NASA could essentially become an unlocked ‘back door’ without persistent vigilance,” warned Subcommittee chairman Paul Broun.

As well as facing the continuous disappearance of unencrypted staff laptops, NASA is also subject to increasingly sophisticated cyber attacks, Martin told the hearing.

“In 2010 and 2011, NASA reported 5,408 computer security incidents that resulted in the installation of malicious software on or unauthorised access to its systems,” he said.

“These incidents spanned a wide continuum: from individuals testing their skill to break into NASA systems, to well-organised criminal enterprises hacking for profit, to intrusions that may have been sponsored by foreign intelligence services seeking to further their countries’ objectives.”

He said the intrusions had disrupted mission operations, had resulted in the theft of sensitive data and had cost the agency more than $7m.

Chairman Broun said that since the inspector general’s last report on IT security at NASA, the agency had taken steps to follow the IG’s recommendations, but said it still needed to do more.

“Despite this progress, the threat to NASA’s information security is persistent, and ever changing. Unless NASA is able to constantly adapt – their data, systems, and operations will continue to be endangered,” he said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/01/nasa_stolen_laptop_unencrypted/

Feds crack suspect’s encrypted drive, avoid Constitution meltdown

Investigators have cracked the encryption key for a laptop drive owned by a Colorado woman accused of real-estate fraud – rendering a judge’s controversial order to make her hand over the passphrase or stand in contempt of court irrelevant.

The government seized the Toshiba laptop from Ramona Fricosu back in 2010 and successfully asked the court to compel her to either type the key into the computer or turn over a plain-text version of the data held on her machine.

Her lawyer’s argument that compelling her to hand over encryption keys would violate her Fifth Amendment rights against self-incrimination was rejected. Prosecutors offered Fricosu limited immunity in this case without going so far as promising they wouldn’t use information on the computer against her.

The Electronic Frontier Foundation filed a brief supporting the defence in the case, arguing that Fricosu was being forced to become a witness against herself. District Judge Robert Blackburn refused to suspend his decision for the time it would take to convene an appeal. The regional 10th U.S. Circuit Court of Appeals refused to review his decision.

Fricosu was left with the stark choice of either coughing up her encryption keys by the end of February or risk a spell behind bars for contempt of court. Philip Dubois, Fricosu’s attorney, claimed that his client had forgotten the encryption passphrase.

The closely watched case set the scene for a legal showdown that would test the US Constitution’s Fifth Amendment rights in the digital age. However the Feds handed the plain-text contents of the laptop to Dubois on Wednesday. It seems more than likely that the authorities had come across the right passphrase without Fricosu’s forced assistance.

“They must have used or found successful one of the passwords the co-defendant provided them,” Dubois told Wired.

Fricosu, and her ex-husband co-defendant Scott Whatcott are both accused of mortgage fraud.

The development comes days after a federal appeals court ruled in a separate case that a defendant did not have to hand over keys to decrypt a laptop drive believed to be storing images of child abuse. The ruling by the Atlanta-based US 11th Circuit Court of Appeals in the case of an unnamed Florida suspect upheld the defendant’s right to resist forced decryption.

This was the first appellant court to rule on the balance between Fifth Amendment rights against compelled self-incrimination and the public interest in allowing police to potentially unearth evidence in criminal cases involved encrypted computers and storage devices. However the ruling is not binding in other regions, especially in the absence of a Supreme Court ruling on the issue.

The US Fifth Amendment holds that no one “shall be compelled in any criminal case to be a witness against himself”. Supreme Court rulings have previously ruled that a criminal suspect can be compelled to turn over a key to a safe possibly containing incriminating evidence, but is not obliged to supply the combination of a safe to investigators. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/01/forced_decryption_ruling_moot/

ICO slaps Durham Uni for exposing staff, students’ privates

Durham University leaked the personal details of 177 staff and students in a training manual that turned out to reveal more than how to take out a library book. The university has just been given a slap on the wrist by the Information Commissioner’s Office (ICO) and has promised to reform its data protection policies.

In illustrating the internal workings of its systems, Durham Uni unfortunately revealed personal information about its employees and students and posted screenshots of webpages full of information including names, addresses and dates of birth.

Details that should have been fictionalised or anonymised turned out to be the real details of 177 members of staff and present and past students.

The information was online for five months until July 2011, when Durham officials realised their mistake, took the images down and reported themselves to the ICO.

Durham has now committed to ensuring all staff receive appropriate training on data protection.

Steve Eckersley, Head of Enforcement at the ICO said: “All documents should be checked for personal information before being made available on a website. This case also highlights the importance of organisations having comprehensive data protection training in place for all staff.”

We’ve asked the university what type of training the manuals were for, and we’ll update if we hear back. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/01/durham_university_ico/

Watchdog hits out at malware racking up premium-rate charges

The premium rate phone regulator says it might disregard evidence of consumer consent from paid-for mobile applications if those apps turn out to contain malicious code.

Under PhonepayPlus’ Code of Practice, premium-rate service (PRS) providers are prohibited from charging without consumers’ consent. Certain PRS providers must hold evidence that consent has been obtained.

Under new guidance (11-page/155KB PDF) issued by the regulator it said the malware contained in mobile apps had been used to send text messages containing keywords that result in consumers being charged for using PRS “shortcodes” without their knowledge or consent.

There have also been other instances of malware on mobile apps causing PRS numbers to be dialled without consumers knowing about it or authorising it.

Malware has also caused the “illicit access” of consumer contact lists, such as phone numbers or social networking contacts, which have been relayed to others without consent in order to “build up unauthorised marketing lists,” PhonepayPlus said. In all those circumstances consent to charging may not be said to have been obtained, it said.

“Providers are asked to note that, where such malicious software (‘malware’) is found, then a Tribunal may not be likely to consider any proof of consent (including Mobile Origination messages or records of calls) to be robust enough,” the regulator said.

PhonepayPlus issued the comments as part of wider guidance to PRS providers on “application-based payments”. Some consumers use premium rate services to pay to download apps, or additional content contained in apps, and add the cost onto their existing phone bill.

The guidance included advice on how PRS providers can obtain “robust” consent to charging from consumers. The regulator also said that PRS providers must ensure that they clearly signpost prices for mobile apps they allow consumers to buy at the point of sale.

“Where consumers make payment before they access an application, either as a one-off payment or a subscription, then it is important that they are given all information, including the price, which is likely to influence their decision to purchase before they consent to purchase,” the guidance said.

“Pricing information will need to be easy to locate within a promotion – ie close (proximate) to the access code or link to purchase a service. Where a promotion is contained within a website or a mobile website, it should not be necessary to scroll down (or ‘zoom in’ on a smartphone touchscreen) beyond the initially presented screen in order to discover the price, unless the access code or link to purchase a service is also in the same area. The price should also be easy to read once it is located, and easy to understand for the reader (i.e. be unlikely to cause confusion) and expressed in UK sterling. Loose or unclear descriptions of price are not acceptable,” it said.

However, in some cases it is acceptable for this general rule to be broken if the details about price are positioned prominently enough, PhonepayPlus said.

The PhonepayPlus Code requires that “consumers of premium rate services … [are] fully and clearly informed of all information likely to influence the decision to purchase, including the cost, before any purchase is made”.

The regulators’ guidance contains advice on the kind of information it would consider acceptable to provide when PRS providers deliver services that allow extra content within apps to be purchased. The providers can choose to inform consumers of the price of purchase as and when the option arises, or clearly inform them about the extra purchase prices prior to them interacting with the service, it said.

The regulator also strongly recommended that consumers be able to send ‘stop’ messages to providers in order to stop being charged and said that consumers should be made “fully aware” of circumstances where applications need to be uninstalled in order that charging stops.

PRS providers that allow consumers to pay for apps using “virtual currency” are also issued with guidance on how to comply with PhonepayPlus’ Code. Those providers should take measures such as ensuring consumers know what the “exchange rate” of the virtual currency is in relation to UK pound sterling, and clearly informing those consumers whether there is an expiry date for such currency to be used and circumstances in which the unused currency cannot be “redeemed,” the guidance said.

PhonepayPlus also said that consumers should not be allowed to buy services that would not work on their device.

“All providers of services offered via a mobile-based payment mechanic should ensure their services are compatible with each technical network platform and/ or handset on which they are promoted. Where this is not possible, consumers with incompatible devices should be prevented from purchasing the service in question,” it said.

When proposing the draft guidance in September last year, PhonepayPlus chief executive Paul Whiteing said that the regulator would “not hesitate to use [its] robust sanctioning powers to drive out rogue providers who could damage a vital part of the UK’s growing and innovative digital and creative economies”.

Copyright © 2012, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/01/consent_may_not_count_for_malware_infected_apps/

US shuts down Canadian gambling site with Verisign’s help

The Department of Homeland Security has seized a domain name registered outside of the US, by individuals who are not American citizens, and who registered with a Canadian registrar.

What is unique about this case is that the American authorities did not get the domain’s registrar – a Canadian company – to pull the domain. Instead they went to Verisign, which operates the entirety of .com, and had them pull the glue records, the warrant states. Verisign hasn’t returned El Reg’s request for comment on its role.

The domain in question – bodog.com – has been in trouble before. Bodog is a big name in online gambling and as such an attractive target for many who are seeking to stop US citizens gambling online. It was set up and run by Canadian billionaire Calvin Ayre. He, and three others involved with the site, have been indicted and could be extradited to the US if the authorities catch them.

The indictment filed accuses the quartet of website operators of violation of Maryland law. It spends a lot of time talking about the money outside the US, and takes particular offence to the hiring of advertisers and PR droids to promote internet gambling.

“Sports betting is illegal in Maryland, and federal law prohibits bookmakers from flouting that law simply because they are located outside the country,” said US attorney Rod Rosenstein in a statement.

The indictment claims that Bodog paid out $100m in winnings to US gamblers, in violation of national law. The company is also accused of spending $42m to promote the site in various US states, including Maryland. The move came after an undercover investigation by the FBI, and with the help of a whistleblower who used to work at Bodog.

Certainly, Calvin Ayre is not a sympathetic character. He knew full well the laws of the various countries and states he marketed his website in, and certainly had the technological capability to at least make the attempt to block residents of countries in which online gambling is illegal from access his website.

“I see this as abuse of the US criminal justice system for the commercial gain of large US corporations. It is clear that the online gaming industry is legal under international law,” Ayre said in a blog posting.

By going to the root operator of .com and having the records pulled – bypassing the registrar entirely – the DHS has sent the world exactly one message: anything hosted in the US, registered in the US, or using a domain whose root is controlled by a US corporation is subject to American law.

Expect to see a big push from non-American internet service providers of all stripes capitalizing on this event to make “not hosted in America” a major selling point. Indeed, it already is. If your website relies on a .com, .net or other American-controlled domain, and you are not an American company, it may be time to revisit that strategy. .com has just depreciated in value. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/01/bodog_shut_via_verisign/

Irish ISPs urged to fit child porn filters

Irish senators have put forward a motion in the Seanad (Senate) urging the justice minister to force ISPs to block child abuse material online.

Ireland’s ISPs already delete reported offensive content off servers in the country, but the motion seeks legislation to force them to block material hosted overseas.

“The legislation should… direct that Irish internet service providers put in place a system whereby child abuse material… hosted overseas be blocked where removal proves difficult or is likely to take an unreasonable length of time,” the proposal read.

The motion is led by Independent Senator Jillian van Turnhout, who has lambasted ISPs for being more concerned with copyright violations than they are about child abuse images. Backers of the motion have also pointed out that similar kinds of rules already exist in other European countries including the UK and Norway.

“Norway has a population similar to ours. They block 10,000 to 12,000 requests a day,” internet safety advisor Pat McKenna of Childwatch told The Journal.

“In the UK, BT alone blocks 35,000 to 40,000 requests a day. That’s 58 million requests a year, just from one ISP.”

But the Irish ISPs have hit back at accusations that they are doing nothing to stop child abuse material online.

“We’ve been doing something which is in agreement with government since 1998 and that is the most effective thing. It is removing illegal content from our servers just as quickly as anyone can point it out to us – we have a hotline service to do that,” Paul Durrant, general manager of Internet Services Providers Association of Ireland (ISPAI), told Silicon Republic.

He said the ISPAI was happy to debate the idea of a child abuse material filter as long as it was done rationally.

“We feel that if this is to be debated, it has to stand not on emotional grounds, but on seriously factual ones and to look at the countries where they have actually implemented this and what it has really achieved rather than pushing out figures where, when you investigate them, they don’t actually show what the people think,” he said.

An email sent out to members by the ISPAI and seen by The Register claimed that the given figures for material blocked in other countries was misleading, because they counted all URLs relating to an IP address, some of which might not have any illegal content.

The motion will be debated in the Seanad today. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/29/irish_gov_child_abuse_filter/

India splurges £10m on new mega internet snooping HQ

India’s clampdown on its netizens is set to continue after its government revealed it is setting up a National Cyber Co-ordination Centre to monitor all web traffic flowing through the country – in the name of national security.

The Times of India had access to the minutes of a National Security Council Secretariat meeting held earlier this month, which claimed the new £10m centre would monitor all tweets, emails, email drafts, status updates and other messages.

The agency will be tasked with scanning “cyber traffic flowing at the point of entry and exit at India’s international internet gateways” in order to provide “actionable alerts” to relevant government departments in the event of a perceived security threat.

If a particular online message is flagged, the centre will have the right to open it up and see if it has actually unearthed a terror plot or merely snooped on an innocent chat – so obviously no privacy issues there, then.

“The coordination centre will be the first layer of threat monitoring in the country,” deputy national security advisor Vijay Latha Reddy said during the meeting, according to the leaked paperwork. “It would always be in virtual contact with the control room of the internet service providers.”

The Indian government is now said to be working out how many people it needs to staff the new centre as well as liaison roles within each government department.

The news comes as India’s much-publicised dispute with Research In Motion took another turn last week: the BlackBerry maker agreed to set up a BBM server in the country to enable the authorities to monitor traffic running on the service more easily.

Nokia’s Push Mail service is said to be next in line, while Yahoo, Google, Skype and others are thought to be in dialogue with the government about routing their services through servers in the country to ensure all comms channels can be monitored. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/29/india_censorship_web/

US gov IT services vendor swallows HBGary

US government IT services firm ManTech International has bought HBGary, the network forensics and malware analysis firm best known for last year’s hack by Anonymous against its now-defunct sister firm, HBGary Federal.

Financial terms of the deal, announced Monday, were not disclosed other than to say it was an “asset purchase” (a distinction that means ManTech avoids taking on any of HBGary’s liabilities, legal or financial).

ManTech said the acquisition would bolster its expansion into the cyber-security market. In a statement, HBGary CEO Greg Hoglund put a positive spin on the sale.

“ManTech will give HBGary significant and positive growth, expanding our opportunities. HBGary’s commercial customers will benefit from the addition of ManTech’s world-class incident response services, and ManTech’s government business will be bolstered with a cutting edge set of products to protect mission-critical IT assets.”

Former HBGary Federal CEO Aaron Barr planned to release information culled from social media on the top dogs of Anonymous at the Security BSides conference last year. But he never got the chance to give this presentation. Once news of the planned release came out, Anonymous turned the tables on HBGary Federal by hacking into its systems, defacing its website and extracting its email spools, which it then released as a torrent. The emails revealed proposals to run a dirty tricks campaign against WikiLeaks, among other embarrassing revelations.

Barr resigned in the wake of the hack while HBGary Inc was arguably damaged by association. HBGary Federal had been established with Barr as its chief exec because Barr had the contacts and security clearance to sell services to the US federal government.

By throwing its lot in with ManTech, HB Gary is trying to achieve the same ends via a different, less risky, route. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/29/hbgary_mantech/