STE WILLIAMS

Analysis In the massive tussle between Apple and Google, it is easy to forget that neither giant (for all their successes) is infallible. They are almost unbeatable in their core markets – Apple in device design and user experience, Google in search, advertising and online software.

But once they venture out of their comfort zones, disaster can ensue, exposing Achilles heels for rivals to exploit. Both have stumbled multiple times in the TV market, and this week highlighted the risks both take to their precious brands when they get too power hungry and seek to extend their control over too many elements of the web ecosystem.

Google Wallet snafu

Google pulled prepaid cards supporting its Wallet payments platform temporarily but long enough to raise serious doubts over the initiative. Meanwhile, Apple was making desperate concessions to try to rescue its troubled iAd mobile advertising system.

Google was forced to disable the prepaid cards for its new Google Wallet payments system last weekend, following discovery of a major security hole. The search giant wants to kickstart adoption of NFC-based mobile payments by including Wallet in Android handsets in the US, and to ensure that platform vendors, rather than operators, have the upper hand in mobile commerce.

However, last week’s intense attention to the security flaw in the software has been a setback, and Osama Bedier, VP of Google Wallet and Payments, acknowledged on a company blog that the prepaid cards were being pulled temporarily.

These cards allow users to upload money from credit cards to the virtual wallet on their phone, but Bedier said Google needed to “address an issue that could have allowed unauthorised use of an existing prepaid card balance if someone recovered a lost phone without a screen lock”. He insisted the weekend’s action was just “a precaution until we issue a permanent fix soon”.

The hole came to light when blogger The Smartphone Champ outlined how a hacker could easily access a pre-paid card, which is connected to the user’s device directly rather than a Google account. Crooks could therefore steal a phone and clear the data in the Wallet app, then log back in, at which point they would be prompted to enter a new PIN and Google account password. That would give them access to the card details and cash uploaded by the original owner.

Despite this, Bedier argued that Wallet remained a safe way to purchase goods, and better than “the plastic cards and folded wallets in use today”. The app currently works on the Nexus S 4G device on Sprint’s network and should come to other models and networks in the near future.

The whole incident aroused speculation that Wallet would prove to be another failed Google project, the latest in a string of experiments with hot markets where the search giant saw an opportunity to extend its influence – but was unable to deliver the required technology. There was a cull of such projects – including Google Labs, Google Health and Google PowerMeter – when Larry Page took the helm as CEO, vowing to “put more wood behind fewer arrows”.

Wallet is closer to market than those, and is unlikely to go away altogether, at least unless it clearly loses the market to a rival. Any perceived security risks are the kiss of death to systems which involve users’ money, but even before the recent problem, Wallet has not grabbed the support Google would have hoped for.

Verizon Wireless deactivated Wallet when it launched the latest Nexus smartphone, officially while it tested the capability – but many pointed to conflicts with the carrier’s own participation in the Isis mobile payments initiative.

Six months after launch, Sprint remains the only carrier partner for Wallet and there are no signs of international plans. This issue is not unique to Google – all big NFC-driven plans have come up against retailer caution and consumer lethargy, which in turn has made the handset makers lukewarm about adding the pay-by-wave chips to their devices. The day of wireless NFC mobile payments is still a year or so away, and the question is whether Google will have the staying power to keep Wallet in the game until that day arrives.

Next page: Has Apple’s iAd had it?

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/19/google_apple_wallet_advertising/

Quotw This was the week when MySpace, which some of you may remember as once being a social network, came back from the dead thanks to its reinvention as a “meaningful social entertainment experience around content” with a million new users signing on since December last year.

Google locked up its Wallet service for now, after two different attacks showed that the electronic purse was not quite the safest place in the world.

And an angry American Dad emptied his pistol into his teenage daughter’s laptop after she complained on Facebook about the “slavery” of having to do chores like (gasp!) making her own bed. Unfortunately for the hapless teen whiner, her father is in IT, so he not only discovered the social network rant – he then shot up her laptop with a .45 and posted a video of it on YouTube.

This was also the week when Apple got a little taste of what it might be like to come out on the losing end of the Great Patent Wars when Chinese shops started pulling its iPads off the shelves after it lost a trademark infringement case brought by Proview International Holdings.

Proview, which claims that it thought of the name “IPAD” ages ago, won the suit, despite the fact that Apple says it knows they thought of it ages ago, that’s why they bought the name off them.

The fruity firm said:

We bought Proview’s worldwide rights to the iPad trademark in 10 different countries several years ago. Proview refuses to honour their agreement with Apple in China and a Hong Kong court has sided with Apple in this matter. Our case is still pending in mainland China.

All this hasn’t stopped Proview from going all out and trying to get Chinese customs officials to ban imports and exports of the fondleslabs – thereby choking off Apple’s global supply.

However, so far, the government is none too impressed with the thought of trying to separate Asian fanbois from their beloved iDevices, cause they’re just too darn popular.

So popular, in fact, that they’re even all the rage in Samsung’s home territory of South Korea.

Frost Sullivan’s Asia Pacific vice-president Jayesh Easwaramony told The Register that Apple has around a 70 per cent market share in the country because of its totally awesome user experience:

Apart from that the positive word of mouth and the appeal as a must-have product for its target segment is greater than the rest. Consequently more apps that optimise the screen have further enhanced the value of the product.

But why rely on the crowd-pleasing wonder of your products when you could be lining the pockets of patent litigation lawyers in an attempt to oust your opponents? In the latest round of Apple v Samsung, the fruity firm is now seeking a ban on the Galaxy Nexus phone in the US.

Apple wants the Ice Cream Sandwich-packing flagship phone pulled from the shelves ASAP, because if it’s not, there’s just no telling what could happen:

Absent preliminary relief, by the time Apple prevails in this case – and Samsung’s infringement is so clear there can be no serious dispute that Apple will prevail – Samsung will have rushed the Galaxy Nexus, which misappropriates many patented features from the iPhone, to capture market share from Apple that Samsung will be able to retain long into the future.

Even worse … the full harm to Apple cannot be calculated, making it impossible for Apple to be compensated by money damages.

Meanwhile, Microsoft is hoping to get people interested in its sites by using content from Facebook and Twitter. The tech giant has launched a new site, msnNOW (catchy), which will pool updates from the two social networks with its Bing search results to help people stay on trend.

It’s typically annoying aspirational marketing bumpf extolled:

It cuts through the clutter of the web, providing an up-to-the-minute view of breaking trends and the hottest social conversations, what people are saying about them, and why they matter.

With the influx of content today across the web it can be challenging to ensure you’re seeing the relevant and credible content that matters most to you. msnNOW is the trusted source that will help make sense of the noise, anytime and from anywhere you’re online.

These “credible” issues that “matter” included, in one snapshot of the site, stories that Sports Illustrated cover model Kate Upton didn’t know who she was dating, Twitterers telling off Chris Brown because of his “harsh words” to the “haters” and Kobe Bryant, basketballer with the LA Lakers, snogging his wife at a game despite the fact that she’s filed for a divorce. And they were in the top four stories.

Microsoft was also in the news this week because its web store in India was reportedly hacked by a Chinese group with the comic-book-villain name, the Evil Shadow Team. The hackers are supposed to have posted a V for Vendetta mask on the site along with the message: “Unsafe system will be baptised”.

Giving nothing away, the site’s holding page read:

The Microsoft Store India is currently unavailable. Microsoft is working to restore access as quickly as possible. We apologise for any inconvenience this may have caused.

Long after Microsoft slurped Skype, Cisco has decided that it might be a bit worrisome for its own communications offerings and complained to the EU that Redmond could lock Skype into its platforms.

Marthin De Beer, Cisco vice president, said on the corporate blog:

The industry recognises the need for ubiquitous unified communications interoperability, particularly between Microsoft/Skype and Cisco products, as well as products from other unified communications innovators. Microsoft’s plans to integrate Skype exclusively with its Lync Enterprise Communications Platform could lock-in businesses who want to reach Skype’s 700 million account holders to a Microsoft-only platform.

But Microsoft doesn’t seem too upset by its sometime partner’s complaints:

The European Commission conducted a thorough investigation of the acquisition, in which Cisco actively participated, and approved the deal in a 36-page decision without any conditions. We’re confident the Commission’s decision will stand up on appeal.

Over in America, wireless broadband provider wannabe LightSquared was scrambling to save itself after the Federal Communications Commission decided that its network couldn’t co-exist with GPS and therefore it shouldn’t have one.

In response, CEO Sanjiv Ahuja said:

After years of receiving regulatory approvals, the FCC approved LightSquared to build its ground network in 2005. In 2010, the FCC amended that plan, requiring LightSquared to build a national broadband network that reached 260 million Americans. At the government’s mandate, LightSquared began investing billions of dollars in America’s infrastructure – without asking for any money from the American taxpayer. Yesterday, after LightSquared had already spent nearly $4 billion, the FCC changed its mind. There can be no more devastating blow to private industry and confidence in the consistency of the FCC’s decision-making process.

The firm is now looking to swap some of its unusable broadband spectrum for the reserves of the Department of Defense. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/17/quotw_ending_february_17/

The UK Border Agency’s multi-million-pound hi-tech eye-scanner programme is in danger of being scrapped, with two airports ditching the service and registration now closed.

A UKBA spokeswoman told The Register that the system was “under review”, but Manchester and Birmingham airports have already stopped using their scanners.

“Obviously there’s lots of new technology that’s coming through at the moment – biometric passports, fingerprints – so UKBA are reviewing all the technology that’s in place and iris scanning is one of them,” she said.

“Iris was good technology at the time, but faster and more reliable options have become available and have been rolled out across the border so that’s where we are with things.”

The UKBA website said that IRIS was no longer available at Birmingham and Manchester airports, but was still open at London’s Heathrow and Gatwick airports.

However, people are no longer able to register their eyes for the scheme, which was supposed to speed up the immigration control process for known users.

“All of our enrolment rooms at Heathrow, Gatwick, Birmingham and Manchester airports are closed until further notice,” the website said.

Passengers holding a British or EU passport with a biometrics chip will still be able to use the e-Passport gates to skip the manual immigration queues.

The IRIS scheme, which was launched in 2005/2006, cost around £4.9m to develop, the UKBA spokeswoman said.

The project was supposed to help speed up passport queues, but during the years it was operational, it was constantly being criticised.

Travellers apparently had a lot of trouble lining up their eyes with the iris recognition camera, resulting in the identification taking a lot longer than it was supposed to. Other passengers wouldn’t be recognised at all by the computer system and ended up having to be manually checked anyway.

A government report that pointed out the system’s shortcomings was published five years ago.

The UKBA spokesperson said that all tech implementations had their problems.

“We have to accept with any technology that there’s always going to be times when it doesn’t work,” she said.

London’s Heathrow terminals 1, 3, 4 and 5 are still using IRIS, as is Gatwick North, and the system will continue to be used there during the massive influx of travellers for the Olympics this summer.

There’s been a lot of concern about IT systems that airports will be relying on to get visitors and competitors through border control for the games. Earlier this month, it was reported that Heathrow might not get facial recognition technology for non-EU travellers planned for all five of its terminals in time. And that implementation has been held up because UKBA is busy investigating the scandal that erupted when it was claimed that fingerprint checks were regularly abandoned to speed things up.

The UKBA spokeswoman said that the agency was working closely with officials in different countries to collect biometric data on individual competitors and their families ahead of the Olympics so they won’t be held up, and added that there would be additional staff during the Games. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/17/iris_scanners_scrapped_at_two_airports/

Analysis Cryptography researchers have discovered flaws in the key generation that underpins the security of important cryptography protocols, including SSL.

Two teams of researchers working on the problem have identified the same weak key-generation problems. However, the two teams differ in their assessment of how widespread the problem is – and crucially which systems are affected. One group reckons the problem affects web servers while the second reckons it is almost completely confined to embedded devices.

EFF group: It could lead to server-impersonation attacks

An audit of the public keys used to protect HTTPS connections, based on digital certificate data from the Electronic Frontier Foundation’s SSL Observatory project, found that tens of thousands of cryptography keys offer “effectively no security” due to weak random-number generation algorithms.

Poor random-number generation algorithms led to shared prime factors in key generation. As a result, keys generated using the RSA 1024-bit modulus, the worst affected scheme, were only 99.8 per cent secure. Such a figure would be considered very good in most circumstances, but not in this context because it means two out of every 1,000 of these RSA public keys are insecure.

The weakness creates all manner of problems, as the researchers explain.

The consequences of these vulnerabilities are extremely serious. In all cases, a weak key would allow an eavesdropper on the network to learn confidential information, such as passwords or the content of messages, exchanged with a vulnerable server.

Secondly, unless servers were configured to use perfect forward secrecy, sophisticated attackers could extract passwords and data from stored copies of previous encrypted sessions. Thirdly, attackers could use man-in-the-middle or server impersonation attacks to inject malicious data into encrypted sessions.

The researchers, led by Arjen Lenstra of Ecole Polytechnique Federale de Lausanne, are working with the EFF to notify operators of servers affected by the vulnerability, urging them to switch to new keys as soon as possible. The group will also be discussing its findings with Certificate Authorities and browser vendors.

The team used a 2,400-year-old Euclidean algorithm to look for cases where prime factors were unexpectedly shared by multiple visible public keys, as well as keys that were unexpectedly shared by multiple certificates – which are much easier to spot. The security of algorithms relies on the computational difficulty of factoring the product of two very large prime numbers. This security is seriously undermined if the prime factors used are not random.

The study focused on looking at RSA (the cryptosystem behind TLS, which is used to secure HTTPS transmissions) and ElGamal (the most common class of cryptosystem behind PGP).

Michigan group: It just affects embedded devices

Another set of security researchers working on the same problem were able to remotely compromise a higher percentage: about 0.4 per cent of all the public keys used for SSL web site security. They said: “The keys we were able to compromise were generated incorrectly – using predictable ‘random’ numbers that were sometimes repeated.”

The group – Zakir Durumeric, Eric Wustrow, Alex Halderman, and Nadia Heninger of the University of Michigan – were able to develop a tool that could factor these keys and give them the private keys to all the hosts vulnerable to this attack on the internet in only a few hours.

The Michigan group reckons the problem largely affects network devices, rather than web servers, and is certainly no reason to avoid taking advantage of the cost and convenience benefits brought by e-commerce, as they explain in a blog post on Freedom to Tinker.

There’s no need to panic as this problem mainly affects various kinds of embedded devices such as routers and VPN devices, not full-blown web servers. (It’s certainly not, as suggested in the New York Times, any reason to have diminished confidence in the security of web-based commerce.)

Unfortunately, we’ve found vulnerable devices from nearly every major manufacturer and we suspect that more than 200,000 devices, representing 4.1% of the SSL keys in our dataset, were generated with poor entropy. Any weak keys found to be generated by a device suggests that the entire class of devices may be vulnerable upon further analysis.

Almost all of the vulnerable keys were generated by and are used to secure embedded hardware devices such as routers and firewalls, not to secure popular web sites such as your bank or email provider. Only one of the factorable SSL keys was signed by a trusted certificate authority and it has already expired.

The US researchers are in the process of informing equipment manufacturers about the potential problem while they put the finishing touches to an upcoming paper on the subject. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/16/crypto_security/

Analysis Cyber-crooks may be able to keep malicious domains operating for longer – even after they are revoked – by manipulating the web’s Domain Name System (DNS).

A weakness in the cache update logic of many widely used DNS servers creates the potential to establish so-called ghost domains, according to a recent joint study by a team of researchers from universities in China and the US. These DNS servers are critical to the running of the internet: they convert human-readable domains into numeric addresses that networking kit can understand in order to route, say, page requests to the right websites.

In their paper Ghost Domain Names: Revoked Yet Still Resolvable, the researchers – Jian Jiang, Jinjin Liang, Kang Li, Jun Li, Haixin Duan and Jianping Wu – explain:

Attackers often use domain names for various malicious purposes such as phishing, botnet command and control, and malware propagation. An obvious strategy for preventing these activities is deleting the malicious domain from the upper level DNS servers.

In this paper, we show that this is insufficient. We demonstrate a vulnerability affecting the large majority of popular DNS implementations which allows a malicious domain name to stay resolvable long after it has been removed from the upper level servers.

Our experiments with 19,045 open DNS servers show that even one week after a domain name has been revoked and its TTL expired, more than 70 per cent of the servers will still resolve it.

The researchers found that DNS server implementations by BIND, Microsoft, Google and OpenDNS are all potentially vulnerable. There’s evidence that the vulnerability has been exploited, and the prevalence of the flaw make the possibility of attack far from theoretical.

“This vulnerability can potentially allow a botnet to continuously use malicious domains which have been identified and removed from the domain registry,” the Sino-American team warns.

The academics suggest various approaches towards mitigating the problem. Independent experts in the field agree that ghost domains pose a risk but disagree about how much danger it poses or how difficult it might be to fix.

Jack Koziol, a director at the InfoSec Institute, a Chicago-based security biz, told El Reg that ghost domain DNS trickery might be used by cyber-crooks to keep malicious domains alive and resolvable for much longer, perhaps even indefinitely. He thinks the flaw will be tricky to correct.

Koziol reckons the ghost domain tactic will make life far easier for cyber-crooks while making it far harder to scrub the traces of malicious domains from the net.

“If you have a domain that is doing really bad stuff, serving up fake AV malware, phishing, etc, it can be deleted at the TLD level to get it off the internet,” Koziol explained. “Malware authors that used the domain basically could do nothing about it, they would just move to a new domain (which could be very disruptive to serving malware or phishing pages, etc).

“Now, with this ghost domain exploit, malware authors can keep their domains alive indefinitely, because of the vulnerability described, deleting domains at the TLD level isn’t going to work any longer. It vastly complicates the effort behind getting bad domains off the internet.”

Prateek Gianchandani, a security researcher at the institute, has published a detailed analysis of ghost domain problem, including screenshots of DNS lookups to illustrate the risk, here.

The InfoSec Institute hasn’t seen the flaw exploited in anger as yet, but nonetheless considers it a serious risk. “We don’t have documented proof yet, but have a few scripts running to watch for it,” Koziol explained.

Cricket Liu, a DNS book author, expert and vice-president of architecture at DNS appliance firm Infoblox, agreed that ghost domains posed a potential threat, but said this issue was neither particularly severe nor hard to prevent.

“It is a threat, but I think it’s worth pointing out that it’s relatively simple to prevent,” Liu explained. “By only restricting recursive queries to authorised clients with an ACL [Access Control List] (that is, not running an open recursive name server), you’d prevent malicious folks on the internet from refreshing their delegation.”

“DNSSEC offers another layer of protection; zones that have been signed don’t have this problem. (Of course, that’s incentive for bad guys not to sign the zones they use for their malicious purposes.)”

The high-water mark of DNS security flaws was set by a widespread cache poisoning problem famously identified by security researcher Dan Kaminsky back in 2008. Liu reckons the ghost domain flaw is nowhere near as severe – not least because it doesn’t involve a flaw in the DNS protocol itself, unlike the earlier Kaminsky mega-bug.

“This vulnerability and the Kaminsky vulnerability are very different,” he explained. “This new one doesn’t let you inject arbitrary data into a cache, it only lets you maintain some existing data in a cache; it is worth noting that the impact is minimal if the vulnerability is actually executed.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/16/ghost_domains_dns_vuln/

Comment A colleague of mine went to a lecture on the European Commission’s proposed Data Protection Regulation last week*. One of the speakers was John Bowman, Head of International Data Protection and Policy at the UK’s Ministry of Justice. His opening question to the floor was: “How many of you here represent consumer groups?”

Not surprisingly, a couple of attendees raised their hands. “Exactly,” he said, warming to his theme, and went on to explain how the MoJ wanted to hear from business as to how the proposed Regulation would affect them and, in particular, the costs they would have to incur to meet the requirements.

He said that the government’s view was that the Regulation was all about protecting the citizen and that the Regulation was biased; he added that there needed to be more of a balance towards the interests of companies (ie, data controllers).

Bowman went on to say that the UK is in an economic downturn and we need to make sure business interests are protected at such a time. He said the Regulation “gold-plated citizens’ rights”, was “disproportionate” and that we needed to “plough on with the British economy”.

He added that the US and the UK were leading the world on a digital agenda and that there was a strong economic argument that these interests should be protected (by minimising the impact of the Regulation the internet). He finished by asking all businesses to respond to the MoJ’s “call for evidence” (closing in early March).

The MoJ link to the “call for evidence”** echoes this data controller emphasis. It states that: “In particular, we would like information on the potential impact on organisations processing personal data, as well as the likely benefits to individuals through strengthened rights. Wherever possible, we would like this information to include practical, day-to-day examples of the proposals’ possible effects and monetised cost and benefit figures. We would also like views on the extent to which these proposals build trust in the online environment, whether they can contribute to economic growth”.

This approach is not surprising. All UK governments (from John Major’s government in 1990) have always had a minimal approach to data protection from the data subject’s perspective. That is why the European Commission claims that the Data Protection Act 1998 does not properly implement Directive 95/46/EC. (Readers may be aware that 18 of the 34 articles in the Directive have not been properly implemented.***)

My own view is that the MoJ “call for evidence” is fatuous. Has the MoJ issued a document that explains the Regulation in detail? (Answer: No.) So how can businesses make informed comments as to costings if they don’t know how in detail the Regulation will apply? Is the MoJ expecting businesses to make their own interpretation of the Regulation by some strange osmotic process? In short, I think all the MoJ will collect is a spate of inaccurate costings and comments based on incorrect or incomplete interpretation of the Regulation.

And what will data subjects do? Well it’s obvious – if they have any sense at all they will write to the MoJ in their hundreds in support of the extended protection afforded by a Regulation (hopefully adding that they support the Regulation because the UK Government cannot be trusted following its failure to implement the Directive 95/46/EC properly***).

In short, the MoJ has set up a numbers game where the ministry wants to say that the vast majority of respondents are opposed to costly changes to the Data Protection Act. however, an embarrassing number of data subjects writing in support of the changes proposed in the Regulation would make that claim “sort of difficult”. ®

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

Bootnotes

* The lecture was organised by Field Fisher Waterhouse – the city law firm that employs data protection stalwart Stewart Room and which hosts meetings of the National Association of Data Protection Officers – a information law grouping which has expanded its interest to cover FOI and RIPA issues as well)

** The MoJ’s call for evidence closes on 6 March (a short time span) and can be accessed here.

*** A list of deficiencies in UK’s Data Protection Act identified by the European Commission.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/16/data_protection_regulation/

Cheshire East council has been fined £80,000 by the Information Commissioner’s Office (ICO) for failing to have adequate security measures in place when emailing personal information.

The ICO said the serious breach of the Data Protection Act occurred in May 2011, when a council employee was asked to contact the local voluntary sector co-ordinator to alert local voluntary workers to a police force’s concerns about an individual who was working the area.

Instead of sending the email via the council’s secure system, the employee sent it via her personal email account. The email contained the name and an alleged alias for the individual, as well as information about concerns the police had about him. The correspondence was then forwarded by the co-ordinator to 100 intended recipients.

The council employee said she sent the email from her personal account because the co-ordinator did not have an appropriate email address and that using the secure email system would have prevented the information from being further disseminated.

As the email did not have any clear markings or advice on how it was to be treated, the recipients interpreted the wording of the message to mean that they should also forward the email to other voluntary workers. As a result, it was forwarded on to 180 unintended recipients.

Following the breach, the council attempted to recall the email to prevent further disclosure. More than 57 per cent of the recipients said that they had deleted the information.

Stephen Eckersley, head of enforcement at the ICO, said: “While we appreciate that it is vitally important for genuine concerns about individuals working in the voluntary sector to be circulated to relevant parties, a robust system must be put in place to ensure that information is appropriately managed and carefully disclosed.

“Cheshire East council also failed to provide this particular employee with adequate data protection training. The highly sensitive nature of the information and the need to restrict its circulation should have been made clear to all recipients.”

He added: “I hope this case, along with the fact that we’ve handed out over £1m worth of penalties since our powers came into force, acts as a strong incentive for other councils to ensure that they have sufficient measures in place around protecting personal data.”

This article was originally published at Guardian Government Computing.

Guardian Government Computing is a business division of Guardian Professional, and covers the latest news and analysis of public sector technology. For updates on public sector IT, join the Government Computing Network here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/16/cheshire_east_council_slapped_with_80_thousand_pound_fine_for_data_breach/

A teenage hacker claims to have broken into the Brazzers, the hardcore porn portal, before making off with hundreds of thousands of user login details.

The 17-year-old Morocco-based hacker uploaded a sample of the stolen data – customer email details, usernames and passwords – as apparent proof of his exploits. He claims to have the personal information of 350,000 users.

The hacker said he was motivated by the desire to highlight a security vulnerability on the adult site, rather then anything overtly political. He did, however, claim allegiance to hacktivist collective Anonymous in an email exchange with AP.

Anonymous splinter group LulzSec carried out a similar operation against porn site Pron.com last June but these days Anonymous appears to be focusing on more highbrow operations, for example breaking into websites in Bahrain to mark the anniversary of the uprising in the country (today’s Op De Jour).

Brazzers has ‘fessed to a breach. Karen Miller, spokesperson for Brazzers’ parent company Manwin Holding, told AP that the hacker had accessed its network via an old (inactive but still linked) user forum. No credit card data was exposed, the firm stresses.

An investigation into the breach is underway. Brazzers is in the process of notifying potentially affected smut subscribers. In the meantime its websites are operating as normal.

Brazzers – which bills itself as the “world’s best porn site” – operates a stable of 30 hard-core smut sites, many of which cater to fans of ladies with large and surgically enhanced mams.

Security watchers over at Sophos’ Naked Security blog have criticised the person who breached the site for splurging user details online rather than notifying Brazzers about the problem or otherwise seeking to responsibly disclose the flaw. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/14/smut_site_hack/

Google has started provisioning electronic wallets again having fixed the more trivial security flaw in its product – though determined hackers will still get in.

Google suspended the supply of Wallets after it emerged that simply clearing the application data resulted in the protecting PIN being reset, so now anyone trying to extract pre-paid credit from a stolen handset will have to root the phone and break the encryption on the PIN instead.

But that process shouldn’t take more than a few minutes, and was demonstrated by zvelo last week. However, it does require specialist software and a bit of knowledge including the best way to root the handset, so Google’s fix will prevent simple theft and the electronic wallet remains a good deal more secure than its physical counterpart.

Google continues to make the rooting process more complicated, and some handsets automatically factory-reset the device on rooting (allowing developers the freedom to install their own low-level code, while protecting data) but in an extended blog post zvelo discusses how vulnerabilities continue to make Google Wallet accessible, and argues that Android’s architecture is fundamentally flawed.

Google reckons no one suffered from the temporary weakness in the PIN protection of the Wallet, but that’s probably due to the tiny number of punters actually using the product. A thief asking to bonk a Google Wallet-enabled phone on the till would probably attract more attention than he’d like, and nicking a real wallet is still a lot more profitable.

The trivial flaw shouldn’t have existed, but Google deserves credit for doing everything it could to forestall, and fix, the problem. More concerning is the damage done to the already marginal public confidence in the security of wireless NFC payment systems. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/15/google_wallet/

The Valentine’s Day edition of Patch Tuesday brought nine security bulletins that collectively address 21 software vulnerabilities.

The batch includes four critical updates but the consensus among security experts is that a security patch for IE is the only one that sysadmins need to worry about. That’s because MS12-010 addresses four flaws in all supported versions of Internet Explorer that might easily lend themselves towards crafting drive-by-download exploits and other unpleasantness.

“This month’s Patch Tuesday is relatively light,” said Jim Walter, manager of the McAfee Threat Intelligence Service at McAfee Labs. “The Internet Explorer bulletin should be considered a top priority, as there’s a risk of code execution attacks. If not attended to, browser exploits can be particularly harmful.”

Wolfgang Kandek, CTO at Qualys, adds that another patch (MS12-013) addresses “equally dangerous” flaw in Windows.

“Attackers can exploit a flaw in a Windows DLL (msvcrt.dll) through a maliciously crafted media file run through Windows Media Player,” he explains. “Include this bulletin in your list of high priorities.”

The other two critical and five important updates (affecting Microsoft Windows, Microsoft Office and .NET/Silverlight) are less of a practical problem than they might have appeared to be last week, before we knew more about the flaws the updates attempt to resolve, he adds.

Tuesday also brought a series of critical patches for Shockwave Player (Windows and Mac) and one important update in RoboHelp for Word from Adobe.

Multiple third-party vendors have released security updates since January’s Patch Tuesday. These include Opera, Google Chrome (twice), Yahoo Messenger, Mozilla Firefox (twice), Mozilla Thunderbird (twice), Mozilla SeaMonkey (twice), Real Player and Skype.

Jason Miller, manager of research and development at VMware – the security researcher keeping count of third-party security updates – warns the sheer volume of updates means a heavy patching workload for some sysadmins.

“For those administrators who wait for a monthly maintenance window for their patching needs, this month is going to be quite a large month combining all of the Microsoft and non-Microsoft security bulletins released since the last Patch Tuesday,” he said.

Details of the patches from Microsoft and Adobe can be found here and here, respectively. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/15/patch_tuesday/