STE WILLIAMS

Exactly how much data can be extracted from iPhones by apps without explicit user consent has been called into question after it emerged that software that has been granted access to location-finding services can siphon off punters’ photos.

The extraction of address book information without permission from the user has already raised privacy concerns, heightened this week after Facebook was obliged to deny that its iPhone app was reading private text messages.

But contact information is not the only thing Jesus-mobe owners need to be wary about.

Once an Apple fanboi grants permission for an iPhone or iPad app to access location information, the app can copy their photo library without any further notice or warning, The New York Times reports.

When an app wants to use location data, Apple’s devices prompt users for permission via a pop-up window that warns that proceeding “allows access to location information in photos and videos”.

Developers reckon this warning is a mildly misleading because once granted, an iOS application might have access to the actual photos and video clips – not just the location where they were recorded. The functionality to support this was bundled in iOS version 4, which was released in 2010.

Whether any apps are actually using this to covertly extract user photos is unclear. Apple screens applications before allowing them to be be made available through its App Store. However this precaution may be insufficient, according to iOS developers.

“Conceivably, an app with access to location data could put together a history of where the user has been based on photo location,” David E Chen, co-founder of iOS application developer Curio, told The NYT. “The location history, as well as your photos and videos, could be uploaded to a server. Once the data is off of the iOS device, Apple has virtually no ability to monitor or limit its use.”

Other developers quizzed by The NYT said that the problem basically stemmed from a misleading pop-up dialogue, rather than anything inherently bad.

“Apple is asking for location permission, but really what it is doing is accessing your entire photo library,” said John Casasanta, owner of iPhone app development studio Tap Tap Tap. “The message the user is being presented with is very, very unclear.”

The NYT asked an independent developer to write an iOS application that collected photos and location information from an iPhone as a test. The proof-of-concept app, dubbed PhotoSpy, was capable of siphoning photos from smartphones and tablets but (once again) its permission dialog screen only asked for location information.

Crucially the app was not submitted to the App Store. So privacy of photos on iPhones hinges on the robustness of Apple’s approval process, which is pretty tight, if not foolproof.

“Apple has a tremendous responsibility as the gatekeeper to the App Store and the apps people put on their phone to police the apps,” said David Jacobs, a fellow at the Electronic Privacy Information Center. “Apple and app makers should be making sure people understand what they are consenting to.

“We’ve seen celebrities and famous people have pictures leaked and disclosed in the past. There’s every reason to think that if you make that easier to do, you’ll see much more of it,” he warned.

Android users who give permission for an application to modify or delete SD card contents are equally opening up their photograph albums, along with everything else, often without the user realising it. So the issue of smartphone privacy is far from restricted to iPhone users.

Frankly the whole business is enough to tempt the more privacy-conscious back to the trusty Nokia 6310 – or carrier pigeons. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/29/iphone_photo_slurping_privacy_risk/

RSA 2012 Usually the bête noire of the annual RSA conference is the criminal hacking community, but security guru Bruce Schneier asserts that government, business, and the military may well pose a bigger threat to security professionals.

“The current risks to internet freedom, openness, and innovation don’t come from the bad guys – they are political and technical. I suppose I should call this talk ‘Layer eight and nine threats’,” he told his audience on Tuesday at RSA 2012.

Attempts at ill-conceived legislation are a major concern, he said. Outsiders trying to legislate something they have no understanding of (a “series of tubes“, anyone?) has led to some very troubling moves on behalf of government on internet security. Sometimes these laws are brought forward for the best of intentions – however misguided – but all too often they are merely the result of lobbying.

The temporary suspension of SOPA/PIPA was a case in point, he said. The laws were not a good idea, but didn’t fail for that reason – and no politician wants to be seen as soft on crime he pointed out. The success of the campaign had nothing to do with Wikipedia going dark and everything to do with Google and others using their own lobbying bodies against it.

Law enforcement was another example of government interference that Schneier highlighted. The police are constantly working to get new laws passed to force technology providers to make their systems easier to monitor. This had happened with packet switching, and he used RIM’s caving to governments over BlackBerry monitoring as an example.

He gave other examples, such as the increasing calls for anonymity to be banned online and for an internet “kill switch“. Both were probably technologically impossible, and even if they were doable they’d still be bad ideas, he commented. People can build their anonymous networks that sit atop the internet, for example, and even if it were possible to take the US offline, one person with a satellite phone could render the whole exercise pointless.

On the business side of the equation, companies now harvest data willy nilly, and aggregate it to maximize advertising efficiency. The downside of this is that clumping all that lovely information also makes a very attractive target for hackers. Google, Facebook, Apple, and Amazon are the main culprits, Schneier said.

He also pointed out that there was an increasing movement towards “feudal security” by these companies, where people accept devices they have limited control over in exchange for their usefulness and the perceived security of the brand. As security professionals, this should make people very nervous, he said, and it was part of a wider attack by the big IT businesses against open computing.

“There’s kind of a war against general-purpose computing,” he said. “Companies realized they made a mistake and they’re trying to get control back. Whether it’s smartphones or tablets, you give much more control to the companies.”

Finally, Schneier said that fears over online conflict have spawned a cyber–Cold War arms race. There have been convincing reports that both China and the US have scouted out each other’s networks and are planting logic bombs in the event the current situation turns hot. If one of those bombs activates accidentally, then the situation would get very serious very quickly, he warned.

Schneier highlighted the email leaks from HGGary, which basically outed the company as a cyber arms manufacturer, and although he wasn’t making any judgments, it was obvious that there is a lot of money to be made in this sector of the industry. But the military wasn’t leaving it at that.

“I suspect in the next few years you’re going to see very heavy military involvement in the national power grid and internet backbone,” he warned. “While we’re holding them back as long as we can, I think we’re going to lose. The result is less security for all of us.”

As a result, Schneier issued a call to arms for the security industry. People will have to get motivated to get the message about internet security out there and, hopefully, curb those threats to security and internet freedom.

“The security industry doesn’t have a lobby, common sense doesn’t have a lobby, technical excellence doesn’t have a lobby,” he said. “We need to get involved in layers eight and nine – the economic and political spheres. In the coming decade the future of the internet will be decided not by IETF, but by people outside it, and that worries me. I’m not sure they’ll do a great job.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/29/schneier_warns_government_business_threat/

RSA 2012 The GSM mobile standard is wide open for attack, experts have warned, thanks in part to the increasing amount of computing power available to hackers.

“Voice interception capability really depends on how much processing power you have,” said Aaron Turner, cofounder of security specialists N4struct, speaking at the RSA 2012 conference in San Francisco. “But that’s just a function of Moore’s Law – the faster computers get, the more data they can handle.”

In their presentation at RSA 2012, Turner and cofounder of Arbor Networks Rob Malan detailed how easy it is to break into mobile phones, either to slurp data, monitor voice calls, spam users, or turn the device into a bugging station. GSM code is incredibly brittle, Malan explained, mainly due to lack of oversight in the standards, and ever-increasing computing power is making phone hacking more commonplace.

“GSM is a fascinating space to play around in, but GSM infrastructure is very, very brittle and ripe for attack,” Malan warned. Mobile hacking has been limited in the past, because buying a cell tower and backend server to research weaknesses was beyond the ken of most hackers, he said. But it’s has now become possible to build mobile hacking systems for very little money, thanks to increased computing power and lower-cost radio equipment.

Hackers are also being helped directly by corrupt staff in mobile network operators, they explained. Once you have a target’s phone number, it’s possible to buy its international mobile equipment identity (IMEI) number for around $100 to $150, in many cases. Once the number is found, it’s relatively easy to launch a brute force attack the GPRS protocols, since they sometimes use repeated passcodes, and gain access to the handset.

With equipment and information costing around $5,000, Turner estimates that you could build a monitoring network that would be capable of taking over a specified mobile phone at a range of up to 27 kilometers – and if you’re willing to spend more, the range of activities available widens.

Surveillance is still a popular target for hackers. A hacked phone can be turned into a tracking device, or have its microphone switched on to transmit private conversations without alerting the owner. This is very useful for insider traders, for example, or to gain information for blackmail or competitive advantage.

For more-direct financial gain, hackers also use premium-rate SMS messages. Turner said that one group of US companies had lost millions after their mobile networks were hacked and users were tricked into sending out high-cost text messages.

He also warned that in some countries in South America, Asia, and the Middle East, telecommunications providers are colluding with hackers for mutual profit. He advised countries to check the record of their local supplier, disable software updates, and consider leaving the phone at home altogether.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/29/moores_law_gsm_hacking/

RSA 2012 RSA president Art Coviello has said the hacking attack that breached its servers ended up making the company stronger and more effective.

“Since the breach we’ve dedicated ourselves to regaining and maintaining your confidence in us, with a sense of urgency as never before to apply the lessons we’ve learned first hand,” he told delegates at the opening keynote of RSA 2012 in San Francisco. “We are sharing and using them to drive strategy and investments and our product roadmap. We hope the attacks on us will strengthen the urgency and resolve of everyone because we are not alone – we’ve never witnessed so many attacks by hackers.”

The SecureID attacks should put the last nail in the coffin of perimeter defense he said, and it had caused a rethink within RSA as to what was needed and the skills and tools needed by the modern security professional. He outlined three areas that need to be managed.

First, companies have to get a lot better at risk management. This means acknowledging the vulnerability of everyone to attack, the likelihood of being a target and the value of what can be stolen. Reaching an acceptable level of risk is the goal, he explained. IT managers need to know not only their own networks, but also know their enemies and what they are after.

Secondly security needs to be a lot more agile. The sheer volume and skill of attackers means security systems have to be much more responsive to new threats. This will require a high level of automation he said – there’s no way an IT manager can be faster than the attackers, so companies need to use automatic controls in all levels, from corporate systems (real and virtual) to any personal hardware used on the network.

Finally, big data is coming to security, he proclaimed. Companies need to absorb and analyze vast volumes of threat data and formulate policies to counter threats. This is possible with the increases in computing power, storage and data analysis tools, and there are products out there to do this, he said. But not everyone is using them.

The IT security industry seldom hired from the military he said, but the military mindset is what’s needed. The security professional needs to be “offensive in their mindset,” a master of big data analysis and have excellent situational awareness so they can constantly be tweaking the security model.

A sign of hope was that the industry is now sharing threat data much more openly than it has in the past. The industry wasn’t waiting for government or big business to force standards, but instead a grassroots information sharing effort was coming from the security community. RSA will be bringing out new products to help this, he promised, and the balance of power will remain with the security professional.

“We’re right, we’re free, we’ll fight, we’ll see – to quote the immortal words of Twisted Sister,” he concluded. “To take the title from that song, we’re not going to take it any more.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/28/hacking_rsa_made_stronger/

French police have arrested two men over an Android malware scam that netted an estimated €100,000, according to L’Informaticien.

The unnamed duo are suspected of infecting more than 2,000 Android smartphones with the Foncy Trojan, a strain of malware that sent text messages to premium-rate numbers at a cost of €4.5 a pop. The malicious code appeared in various guises, most recently as a fake EA Sports Madden NFL 2012 game, net security firm Sophos reports.

The malware was unusually sophisticated. Foncy exploited a vulnerability to root the phone before surreptitiously spewing SMSes. Infected phones also silently polled an IRC channel to obtain instructions from hackers. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/28/french_android_malware_arrests/

US prosecutors have drawn up secret charges against WikiLeaks founder Julian Assange, according to a leaked internal email extracted from private US intelligence firm Stratfor and obtained by the whistleblower site.

WikiLeaks began releasing the first tranche of more than five million Stratfor emails on Monday in a bid to show “how a private intelligence agency works, and how they target individuals for their corporate and government clients”. Australian broadsheet The Age, which obtained early access to the emails through an investigative partnership with WikiLeaks, reports that in one internal email sent in January 2011 a senior Stratfor exec writes: “We have a sealed indictment on Assange”.

Stratfor’s vice-president for intelligence, Fred Burton, a former chief of counterterrorism in the US State Department diplomatic security service, made the comment in an exchange discussing media reports about unconfirmed US investigations into WikiLeaks. In the email (sent via a BlackBerry and published by WikiLeaks here), sent to fellow intelligence analysts, Burton underlined the potential sensitivity of the information on a possible US case against Assange but saying “Pls protect” and “Not for Pub[lication]”.

It’s unclear where Burton got his information, presumably from a government informant, or its accuracy. But US charges against Assange have been the subject of consistent speculation.

The Australian embassy in Washington reported in December 2010 that the US Justice Department was running an “active and vigorous inquiry into whether Julian Assange can be charged under US law, most likely the 1917 Espionage Act”. The cable went on to describe the US investigation into WikiLeaks as “unprecedented both in its scale and nature” adding that rumours that a secret grand jury had been convened in Alexandria, Virginia, were “likely true”, The Age reports.

Suggestions that US prosecutors drew up secret charges against Assange some time ago have appeared while the WikiLeaks founder awaits a UK Supreme Court decision on an appeal against extradition to Sweden for questioning over an alleged sexual assault.

Lawyers acting for Assange have argued that his extradition to Sweden will open the door to a US extradition on possible espionage charges over the leak of confidential US military reports from Iraq and US diplomatic cables.

US army private Bradley Manning, a former Iraq-based intelligence analyst, faces court martial as the alleged source of classified US documents later published by WikiLeaks.

Stratfor provides intelligence and analysis to corporate and government subscribers. It’s described by some as corporate America’s Wannabe CIA.

The Texas-based global intelligence firm was infamously hacked by Anonymous last December, with the hackers making off with email spools and credit card information from insecure systems. Wikileaks doesn’t say where it got its information but the dates covered by the emails – July 2004 and late December 2011 – are consistent with the hacktivists’ ransacking of Stratfor.

In a statement covering the release of the so-called Global Intelligence Files (GIFiles), Wikileaks states that the emails show “Stratfor’s web of informers, pay-off structure, payment-laundering techniques and psychological methods”. The statement makes no attempt to disguise the adversarial relationship that has developed between WikiLeaks and Stratfor, even accusing the Texas-based global intelligence outfit of attempting to subvert WikiLeaks.

The material contains privileged information about the US government’s attacks against Julian Assange and WikiLeaks and Stratfor’s own attempts to subvert WikiLeaks. There are more than 4,000 emails mentioning WikiLeaks or Julian Assange. The emails also expose the revolving door that operates in private intelligence companies in the United States. Government and diplomatic sources from around the world give Stratfor advance knowledge of global politics and events in exchange for money.

The Global Intelligence Files exposes how Stratfor has recruited a global network of informants who are paid via Swiss banks accounts and pre-paid credit cards. Stratfor has a mix of covert and overt informants, which includes government employees, embassy staff and journalists around the world.

In a lengthy statement, George Friedman, founder and chief exec of Stratfor suggested some of the emails might be forgeries while admitting others might be accurate. Friedman goes on to say the firm will neither confirm nor deny which are which, with the exception of saying that his supposed post hack resignation email was a fake. He said the emails were extracted during the Anonymous hack, which he condemns.

As most of you know, in December thieves hacked into Stratfor data systems and stole a large number of company emails, as well as private information of Stratfor subscribers and friends. Today Wikileaks is publishing the emails that were stolen in December. This is a deplorable, unfortunate – and illegal – breach of privacy.

Some of the emails may be forged or altered to include inaccuracies. Some may be authentic. We will not validate either, nor will we explain the thinking that went into them. Having had our property stolen, we will not be victimized twice by submitting to questions about them.

The disclosure of these emails does not mean that there has been another hack of Stratfor’s computer and data systems. Those systems, which we have rebuilt with enhanced security measures, remain secure and protected.

The release of these emails is, however, a direct attack on Stratfor. This is another attempt to silence and intimidate the company, and one we reject. As you can see, emails sent to many people about my resignation were clearly forged.

Friedman goes on to defend Strafor’s professional ethics.

Stratfor has worked to build good sources in many countries around the world, as any publisher of geopolitical analysis would do.

We are proud of the relationships we have built, which help our analysts better understand the issues in many of these countries through the eyes of people who live there.

We have developed these relationships with individuals and partnerships with local media in a straightforward manner, and we are committed to meeting the highest standards of professional and ethical conduct.

Stratfor is not a government organization, not is it affiliated with any government. The emails are private property. Like all private emails, they were written casually, with no expectation that anyone other than the sender and recipient would ever see them. And clearly, as with my supposed resignation letter, some of the emails may be fabricated or altered.

Friedman concludes by apologising for last year’s breach and the inconvenience it has resulted in for the firm’s subscribers and employees. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/28/strafor_wikileaks/

Hacktivists claim to have raided the website of the United Nations Environment Programme (UNEP) and extracted sensitive internal information.

The group, r00tw0rm, dumped an 82MB database file on Pastebin, which appears to contain hundreds of tables with administrator login details and user data. r00tw0rm has been busy over recent weeks with attacks against NASA and other organisations. The motive of the latest attack seems to be an attempt to mock the poor security of high-profile websites rather than anything overly political.

The Hacker News has more on the attack here.

The UNEP website was taken down and restored to normal by Tuesday lunchtime, less than 48 hours after the purported attack. The agency is the UN body responsible for co-ordinating environmental efforts and encouraging sustainable development among other functions.

It’s not the first time hackers have turned their attention towards a UN agency. Last November hacktivist group TeaMp0isoN ran a similar attack against the website of the United Nations Development Programme. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/28/un_agency_hit_by_hackers/

A new strain of financial malware is hijacking live chat sessions in a bid to hoodwink business banking customers into handing over their banking login credentials or into authorising fraudulent transactions.

The attack is being carried out using the Shylock malware platform*, using a configuration that runs a browser-based man-in-the-middle attack. The assault – which targets business banking customers rather than consumers – kicks in when a victim logs into their online banking application.

Sessions are suspended, supposedly to run security checks (on the pretext that the “system couldn’t identify your PC”), before a web-chat screen under the control of hackers is presented to victims. But instead of talking to a customer service rep, the mark is actually chatting to cybercrooks, who will attempt to hoodwink victims into handing over login credentials or other information needed to authorise fraudulent transactions. Unbeknownst to the victims, the fraudsters are relaying authorisation data to the victim’s bank during their conversation, carrying out a concurrent fraud in real time.

“This web injection is followed by an elaborate web-chat screen, which is implemented in pure HTML and JavaScript,” Trusteer explains. “Within two to three minutes, if the user’s login is valid … the fraudster engages in a live online chat session with the victim. This exchange is apparently used to gather more information from the victim. The session may even be used to perform real-time fraud by enticing the victim to sign/verify fraudulent transactions that Shylock is initiating in the background.”

Phishing attacks that incorporate live chat have appeared before but these assaults (like this one detected by RSA in 2009) involved tricking victims into visiting phishing sites. Cybercrooks have refined this approach with the latest attack by embedding similar functionality into a malware platform so that they can present the attack as soon as victims log into banking applications from compromised PCs, avoiding the need to trick victims into visiting a phishing site they have established.

Phishing sites are subject to rapid takedown and blacklisting, so avoiding this step in the process is a major advantage to crooks.

Trusteer has more detail on the attack in a blog post here. ®

Bootnote

*Shylock is so named because every new build bundles random excerpts from Shakespeare’s The Merchant of Venice in its binary. The malware, which first appeared last September, has claimed a significant increase in infected machines over recent weeks, Trusteer separately warned earlier this month. Shylock uses a battery of tricks to escape detection by anti-virus scanners, as explained here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/28/banking_trojan_hijack_live_chat/

RSA 2012 The new generation of “digital natives” coming into the workplace is going to blow apart existing security practices, Symantec’s CEO Enrique Salem warns.

In his keynote speech on Tuesday at the RSA 2012 conference in San Francisco, Salem said that the current young generation, born in the 1990s, has a radically different approach to the internet and security than that of the older “digital immigrants” who built it.

“These digital natives are a freight train coming that will hit businesses like a sledgehammer,” he warned. “They are the sledgehammer of change, and they’re going to need to work with digital immigrants like you and me.”

Salem said that the average US 21-year-old has sent over 250,000 emails, text messages, and IM sessions, has spent over 14,000 hours online, and doesn’t accept information from a single source, but checks with his or her network instead. They use email rarely and have never known life without the internet. They even think differently, multitasking constantly in what he called “continuous partial attention.”

Companies are going to have to get used to this, and should see productivity benefits, Salem said. But this style of working is going to need a dramatic reworking of traditional security practices, he warned, then proposed new ways to deal with the situation.

Authentication needs to be altered, he suggested, so that it is similar to single sign-on, but much more flexible for working across a variety of platforms. Security has to work on multiple devices, since digital natives take a “bring your own device” approach to hardware, and on multiple levels, so that it can incorporate new data such as location and online behavior.

The firewall will also need to be reinvented, he said, so that it not only watches what data comes into an organization, but also what data goes out. That data leaving via the cloud needs to be automatically tagged, since users can’t be trusted to do it themselves, and clear cloud audit trails need to be set up and monitored. Finally, IT administrators need to be able to shut down access to information quickly when the native leaves the company.

Salem raised some good points, but he was short on solutions. He promised that Symantec would provide protection, but gave little indication as to how and why. No doubt details will be forthcoming, but he set himself a very high target. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/28/younger_generation_sledgehammer_security/

Microsoft India has warned customers of its online store that their financial details may have been compromised, backtracking on a previous statement to the contrary.

Chinese hackers, apparently members of a group known as Evil Shadow Team, were thought to have breached Microsoft’s systems earlier this month, defacing the Microsoft India Store with a V for Vendetta image and the bizarre message: “Unsafe system will be baptized.”

The website was taken offline and remains inaccessible to this day, with a holding page claiming “Microsoft is working to restore access as quickly as possible”.

Speculation was rife at the time that Quasar Media, the digital media contractor Microsoft used to manage the site, had stored credit card info in plain-text format in a backend database, putting it at extreme risk of capture by the hackers.

However, Microsoft moved quickly to quash such rumours, claiming that “databases storing credit card details and payment information were not affected during this compromise”.

In time honoured fashion, however, Redmond has now been forced to admit that this prognosis may have been a little over-hasty, and optimistic, according to Wall Street Journal India blogger and Microsoft customer, Amit Agarwal.

The new statement sent to customers via email from Microsoft India general manager Chakrapani Gollapali reads:

Further detailed investigation and review of data provided by the website operator revealed that financial information may have been exposed for some Microsoft Store India customers.

Redmond has set up a helpline – never a good sign – and asked any customers who have used their cards on the site to contact their provider as their details may have been exposed.

The Reg reached out to Microsoft to get confirmation of the email seen by Agarwal but without success so far. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/28/microsoft_india_card_breach/