STE WILLIAMS

Twitter has become the latest in a growing list of companies caught storing user’s data without making it explicit.

The company has admitted that it is storing the entire address books of users for 18 months, if they use the “Find Friends” feature on its iOS and Android clients. The function searches through your existing address book looking for matches on Twitter, but doesn’t make it clear that Twitter will be storing the data, or for how long.

“We want to be clear and transparent in our communications with users,” Twitter spokeswoman Carolyn Penner told the Los Angeles Times. “Along those lines, in our next app updates, which are coming soon, we are updating the language associated with Find Friends — to be more explicit. In place of ‘Scan your contacts,’ we will use ‘Upload your contacts’ and ‘Import your contacts’ (in Twitter for iPhone and Twitter for Android, respectively).”

She also pointed out that Twitter users can remove the information from their contacts database on Twitter using the companies own Remove tool on the Import Contacts page. The data may still be stored in backups however, something El Reg has yet to hear from Twitter about.

Applications that harvest address books are the latest witch-hunt de jour, after mobile social networking company Path was forced to admit last week that it was harvesting and storing user’s address details without asking. The company also promised to fix the problem with its next update. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/15/twitter_stroes_address_books/

The UK’s data protection watchdog has fined two English council bodies a total of £180,000 after finding they had failed to keep “highly sensitive information” about children secure.

Croydon Council was fined £100,000 after a bag containing papers about a child sex abuse court case was stolen from a social worker in a pub in April last year, the Information Commissioner’s Office (ICO) said.

Norfolk County Council was fined £80,000 after a social worker at the authority hand-delivered a report featuring “highly sensitive personal data about a child’s emotional and physical wellbeing, together with other personal information” to the wrong address.

The report was delivered to the next door neighbour of the intended recipient, also in April 2011, after the social worker wrote the wrong address down on the report, the ICO said. The ICO said that Croydon Council had failed to communicate its data protection guidance to staff and had inadequate checks in place to ensure it had been read and understood.

The council’s policy on data security also did not include the requirement that sensitive personal data be kept secure when taken off-premises, the watchdog said.

The social worker at Norfolk County Council had failed to complete mandatory training in data protection and the authority did not have appropriate systems in place to check this, the ICO said. The council also failed to operate a system that requires colleagues to check each other’s work to ensure sensitive information is sent to the right address, it said.

Both authorities have agreed to alter their data protection practices following the breaches.

“We appreciate that people working in roles where they handle sensitive information will – like all of us – sometimes have their bags stolen. However, this highly personal information needn’t have been compromised at all if Croydon Council had appropriate security measures in place,” Stephen Eckersley, head of enforcement at the ICO, said in a statement. “One of the most basic rules when disclosing highly sensitive information is to check and then double check that it is going to the right recipient. Norfolk County Council failed to have a system for this and also did not monitor whether staff had completed data protection training.

“While both councils acted swiftly to inform the people involved and have since taken remedial action, this does not excuse the fact that vulnerable children and their families should never have been put in this situation,” he said.

Under the Data Protection Act, organisations in control of personal data are required to take “appropriate technical and organisational measures” to prevent “unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”. The Act requires extra care around the handling of sensitive personal data, such as information relating to individuals’ “physical or mental health or condition”. Under the Act the ICO has the power to issue fines of up to £500,000 for serious breaches of personal data.

Copyright © 2012, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/15/councils_fined_for_exposing_chile_welfare_papers/

The Ministry of Justice (MoJ) is looking to spend up to £2.9bn on electronic monitoring technology.

The department monitors about 25,000 people electronically at any one time, using the technology to help enforce the curfew of a individual with a community order, court bail order or released on licence.

Some 116,000 people were monitored electronically over 2010-2011 – a 9 per cent rise year on year.

With an expected increase in monitoring levels this year, the MoJ has put out a tender for related software, hardware and services. The deal, valued at between £583m and £2.9bn, is to last six years with an option to extend for a further three, according to a notice in the Official Journal of the European Union.

The deal is divided into four lots: the first is for the provision of a national electronic monitoring service in England and Wales, including the processing centre, related hardware and software and deployment of field operatives. The supplier for lot one will act as the systems integrator for the other three lots.

Lot two includes monitoring and mapping software applications; lot three involves hardware such as ankle bracelets and handheld devices capable of monitoring a subject’s curfew and which areas they are excluded from; and lot four covers the provision of mobile data and voice used by the monitoring service.

The MoJ says in the notice that it may in future decide to use the PSN connectivity and services frameworks to award lot four. The frameworks are expected to be released in the coming months.

This article was originally published at Guardian Government Computing.

Guardian Government Computing is a business division of Guardian Professional, and covers the latest news and analysis of public sector technology. For updates on public sector IT, join the Government Computing Network here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/15/moj_electronic_monitoring/

The gap between software patched by IT departments and the applications cyber-criminals actually target is leaving organisations at a greater risk of attack.

And despite system administrators’ efforts to keep Microsoft-supplied packages up to date, non-Redmond software is almost exclusively responsible for the growth in vulnerabilities.

That’s according to an annual study by Secunia, which was published on Tuesday.

The security biz reported that the share of third-party vulnerabilities on a typical employee’s computer increased from 45 per cent in 2006 to 78 per cent in 2011 – leaving 12 per cent of the security bugs found in operating systems and 10 per cent in Microsoft code. Of 800 end-point vulnerabilities logged by Secunia last year, the Danish firm rated more than half as either “highly” or “extremely” critical.

Businesses need to review their patching strategy in order to place more emphasis of third-party application updates on end-points such as PCs, Secunia concludes.

These end-points are a top target for crooks because they often host valuable data but are frequently poorly protected. Desktop machines, for example, can have unpredictable usage patterns, making them especially difficult to defend and secure. The multiple updating mechanisms from different vendors is at least partially to blame for this problem.

These are not the vulnerable programs you are looking for

Corporate security strategies often fall down because they place an incorrect emphasis on business-critical programs that crooks seldom target. It’s all very well having Windows desktops running fully patched builds of Internet Explorer or server farms running up-to-date versions of SAP but if PCs are running older installations of Adobe Acrobat then systems can easily become compromised by targeted attack. For example, it only takes one worker to open and view the attachment of a seemingly relevant email for cyber-crooks or cyber-spies to gain compromised access inside a corporate network.

“By not addressing errors in software installed on typical end-points, organisations and individuals are in effect leaving their ‘windows’ wide open for cyber-criminals to enter and compromise their most sensitive data,” explained Stefan Frei, research analyst director at Secunia.

“The programs that an organisation perceives as top priorities to patch as opposed to the programs that cyber-criminals target are often vastly different,” Frei added. “Many organisations will focus on patching the top layer – business-critical programs – only. Cyber-criminals, however, will target all programs and only need one vulnerable program to compromise the host.”

Secunia cautions that the software vulnerability landscape tends to shift from year to year, so firms need to adopt agile strategies that can cope with shifting patching priorities. For a typical organisation with over 600 programs installed in their network, more than 50 per cent of the programs that are vulnerable in one year will not be vulnerable the next year. So simply patching a static set of preferred programs can leave organisations hopelessly ill-defended against hacker attack, Secunia warns.

“Optimal risk reduction with limited resources” can be best achieved with an agile, dynamic patching strategy, it advises.

Despite the media focus on zero-day flaws – bugs discovered and exploited where no immediate fix is available – the majority of attacks tend to involve taking advantage of older flaws. Three quarters (72 per cent) of vulnerabilities had patches available on the day of vulnerability disclosure, according to Secunia. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/15/secunia_patching_study/

Nortel was the victim of a years-long network security breach that allowed hackers to extract its trade secrets, according to a veteran of the bankrupt Canadian telco systems biz.

The hackers stole at least seven passwords from top executives before downloading research, business plans, technical papers, corporate emails and other sensitive data, the Wall Street Journal reports.

Brian Shields, a veteran former worker at the firm who led an internal investigation, told the paper: “They had access to everything. They had plenty of time. All they had to do was figure out what they wanted.”

The attackers, suspected to be based in China, planted carefully camouflaged spyware on client PCs in order to extract passwords, Shields said. The whole assault was so well-executed that it went undetected for years.

Shields, a Nortel employee for 19 years, said the firm only detected a possible breach in 2004 – when it discovered that some PCs were regularly sending sensitive data to an IP address in Shanghai. Subsequent investigations suggested the breach dated back as far back as 2000, if not earlier.

At the time, Nortel responded to the breach by changing compromised passwords, Shields to the WSJ. It discontinued an internal investigation into the breach after six months, reportedly because of lack of progress. Shields said Nortel’s management ignored his recommendations on how to tighten up the firm’s network.

Mike Zafirovski, Nortel’s chief exec between 2005-2009, played down the significance of the breach. He told the Wall Street Journal that staff “did not believe it was a real issue”.

China Syndrome

China is routinely blamed for economic espionage-style attacks, which it has consistently denied. Questioned over the Nortel breach, the Chinese embassy denied any involvement and told the journal that cyberspying attacks are “transnational and anonymous”.

Nortel went bankrupt three years ago, back in 2009. It allegedly failed to disclose the breach on its network to prospective buyers of its assets around the time it went under.

The reported breach against Nortel follows cyberespionage-style attacks against RSA, Google, US defence contractors and Mitsubishi Heavy industries in Japan – among several others.

Neil Roiter, director of research at Corero Network Security, commented: “We’ve seen time and again that enterprises are successfully breached and the cyber attackers continue to operate undetected for months, even years. The Nortel breach that apparently spanned over nearly a decade is a lesson to all that organizations must implement strong security policies and technology.”

“Organisations need to ensure they have the proper tools at the perimeter and within their networks, and aggressive monitoring to detect outbound traffic and suspicious activity in the event of a breach. The Aurora attacks, the RSA breach and others demonstrate that Fortune 500 companies and other large enterprises are under constant threat from nation states such as China seeking shortcuts to technological advances.”

The prevalence of breaches is likely to prompt tougher rules on breach disclosure, according to Roiter.

“Perhaps more disturbing, if the report is accurate, is the failure of Nortel to respond when the breach was discovered, and, less surprisingly, their failure to disclose it. Perhaps the danger was less clear eight years ago than it is now, but the continued failure of what was viewed as an innovative and sophisticated IT company to appreciate and address the risk is puzzling. We expect that the new SEC guidelines will result in more disclosures, such as the recent revelation of the VeriSign breach in 2010, and that companies will be more up front about these events for the sake of the business community at large.”

Chris Petersen, CTO of LogRhythm, a log management company, noted that financially motivated industrial espionage has been going on for decades, long before the present focus on attacks from China.

“Should we really be surprised – especially those of us who grew up in the Cold War – that Nations would aggressively compromise US corporate and agency networks in support of their own economic interests? How many other US corporations are breached and leaking right now? Personally I’m afraid we’d be appalled by the number – it is likely very high.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/15/nortel_breach/

A dodgy update to Microsoft’s anti-virus software on Tuesday meant users of the software were wrongly warned that Google’s homepage was infected with the infamous Blackhole Exploit Kit.

Users of Microsoft’s Forefront corporate security products (here) and freebie Security Essentials scanner software (here) were both affected by the snafu. Following the false positive update, surfers who visited Google.com were falsely warned* that it had been contaminated with a “severe” threat – specifically Exploit:JS/Blacole.BW.

Taken at face value, the warning implied that users visiting the site were being hit with scripts that attempted to use browser exploits and the like to push malware onto vulnerable PCs. Microsoft’s Technet support forums soon filled up with notes and queries over the alarming warning, which turned out to be entirely bogus. Microsoft published updated definition files that avoided the false positive within four hours of the first report of the glitch.

False alarms involving anti-virus software affect all vendors from time to time. Such problems, as is the case with Microsoft’s misfiring Valentine’s Day update, normally only cause minor inconvenience and confusion. False positives only really become a serious problem when system files are incorrectly classified as malign, leaving users with unstable – and in some cases unbootable – Windows boxes. ®

Bootnote

*IE users were hit by the false positive as soon as they visited Google.com. Firefox fans were only warned when they initiated a search, according to posts on Microsoft’s Technet support forum. There have been no reports of alerts for Windows users using either Google Chrome or Opera.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/15/ms_security_google_false_alarm/

A not-for-profit search engine that serves up a privacy-friendly version of Google has been out of action for much of today.

Scroogle, which has routinely been scraping the Chocolate Factory’s search results since 2002 in very workmanlike fashion, sported an error message announcing that it was down for most of the day.

“Forbidden. So sorry… Google is temporarily blocking this Scroogle server. Please wait ten minutes before trying again.”

Scroogle, which has just come back to life, reiterated that nearly every Scroogle searcher “is a live person clicking on a mouse”.

It added that Google treats the site like a bot because traffic from Scroogle’s IP addresses is – at times – higher than normal.

The outfit’s search scraper – the source code for which was released in 2005 – acts as a proxy, hiding users’ IP addresses from Mountain View, and delivering basic results pages without advertising or cross-referencing searches with other Google products.

The Register asked Google and Scroogle for comment but neither party had got back to us at time of writing.

In recent years, Scroogle has been unceremoniously booted off the interwebs by Google several times, after the company tweaked its output format to – at least temporarily – stop its search results from being scraped.

More sinisterly for conspiracy theorists, Google has vanished Scroogle from its search engine. Previously, even when the org’s site was down it would still show up in the big G’s results pages.

That’s not the case anymore, however.

It could be that – ahead of Google’s changes to its terms of service on 1 March – the company removed the interface page Scroogle was using to scrape the results from the ad broker’s site.

Scroogle has form for doggedly coming back to life despite its battles with Google.

Its traffic is nearly always boosted when there’s a public outcry about Mountain View’s handling of data and privacy online… ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/14/scroogle_down/

A teenage hacker claims to have broken into the Brazzers, the hardcore porn portal, before making off with hundreds of thousands of user login details.

The 17-year-old Morocco-based hacker uploaded a sample of the stolen data – customer email details, usernames and passwords – as apparent proof of his exploits. He claims to have the personal information of 350,000 users.

The hacker said he was motivated by the desire to highlight a security vulnerability on the adult site, rather then anything overtly political. He did, however, claim allegiance to hacktivist collective Anonymous in an email exchange with AP.

Anonymous splinter group LulzSec carried out a similar operation against porn site Pron.com last June but these days Anonymous appears to be focusing on more highbrow operations, such as breaking into websites in Bahrain to mark the anniversary of the uprising in the country (today’s Op De Jour).

Brazzers has ‘fessed to a breach. Karen Miller, spokesperson for Brazzers’ parent company Manwin Holding, told AP that the hacker accessed its network via an old (inactive but still linked) user forum. No credit card data was exposed, the firm stresses.

An investigation into the breach is underway. Brazzers is in the process of notifying potentially affected smut subscribers. In the meantime its websites are operating as normal.

Brazzers – which bills itself as the “world’s best porn site” – operates a stable of 30 hard-core smut sites, many of which cater to fans of ladies with large and surgically enhanced mams.

Security watchers over at Sophos’ Naked Security blog have criticised the person who breached the site for splurging user details online rather than notifying Brazzers about the problem or otherwise seeking to responsibly disclose the flaw. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/14/smut_site_hack/

The Information Commissioner’s Office has found that five local authorities have breached the Data Protection Act by failing to protect personal information about citizens.

Basingstoke and Deane Borough Council breached the Data Protection Act four times over two months in 2011. In one incident, which occurred in May, an individual was mistakenly sent information relating to 29 people who were living in supported housing.

The council has since signed an undertaking committing it improving its handling of private information.

In July last year, a member of staff at Brighton and Hove council emailed personal details about another council employee to 2,821 council workers. The ICO said that in the previous year a “third party” had informed it about the theft of an unencrypted laptop belonging to the council from the home of a temporary employee.

Brighton and Hove has now given a commitment to ensure that the personal information they process is secure, including making sure that all portable devices used to store personal data are encrypted.

According to the ICO, similar undertakings have also been signed by Dacorum Borough Council, Bolton Council and Craven District Council. It has also issued an enforcement notice to Staffordshire County Council over its mishandling of a subject access request.

Information Commissioner Christopher Graham said: “At a time when councils are increasingly working with community partners, when data is shared it is vital that they uphold their legal responsibilities under the Data Protection Act. Failures not only put local residents’ privacy at risk, but also mean that councils could be in line for a sizeable monetary penalty.

“We must also consider the detrimental impact these breaches continue to have on the individuals affected. Disclosing details about someone’s social housing status can be upsetting and damaging for those affected. To help tackle this issue I’ve submitted a business case to the government to ask for them to extend my compulsory audit powers.”

This article was originally published at Guardian Government Computing.

Guardian Government Computing is a business division of Guardian Professional, and covers the latest news and analysis of public sector technology. For updates on public sector IT, join the Government Computing Network here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/14/councils_breach_data_protection/

Analysis Trustwave’s admission that it issued a digital “skeleton key” that allowed an unnamed private biz to spy on SSL-encrypted connections within its corporate network has sparked a fiery debate about trust on the internet.

Trustwave, an SSL certificate authority, confessed to supplying a subordinate root certificate as part of an information security product that allowed a customer to monitor employees’ web communications – even if the staffers relied on HTTPS. Trustwave said the man-in-the-middle (MitM) gear was designed both to be tamper-proof and to work only within its unnamed client’s compound. Despite these precautions, Trustwave now admits that the whole approach was misconceived and would not be repeated. In addition, it revoked the offending certificate.

Trustwave came clean without the need for pressure beforehand. Even so its action have split security experts and prompted calls on Mozilla’s Bugzilla security list to remove the Trustwave root certificate from Firefox.

Death sentence debate

Critics claimed that Trustwave had enabled its client to issue arbitrary SSL certificates for any domain – this is in violation of Mozilla’s policy against “knowingly issuing certificates without the knowledge of the entities whose information is referenced in the certificates”. Trustwave sold a certificate knowing that it would be used in man-in-the-middle eavesdropping of encrypted information, an insecure practice that it ought to have never used in the first place.

Researcher and privacy advocate Christopher Soghoian weighed into the debate on Mozilla’s list with the case for the prosecution.

“Trustwave sold a certificate knowing that it would be used to perform active man-in-the-middle interception of HTTPS traffic,” he wrote. “This is very very different than the usual argument that is used to justify ‘legitimate’ intermediate certificates: the corporate customer wants to generate lots of certs for internal servers that it owns.

“Regardless of the fact that Trustwave has since realized that this is not a good business practice to be engaged in, the damage is done.”

Soghoian concluded: “With root certificate power comes great responsibility. Trustwave has abused this power and trust, and so the appropriate punishment here is death (of its root certificate).”

Those defending Trustwave suggested that other vendors probably used the same approach for so-called “data loss prevention” environments – systems that inspect information flowing through a network to prevent leaks of commercially sensitive data. It would be wrong to impose a death sentence on Trustwave as a certificate authority after it came clean and abandoned the MitM digital certificate technique, the counterargument goes.

“Personally, I think Trustwave should be commended for being the first CA [certificate authority] to come forward, admit to, and renounce this practice of issuing unrestricted 3rd-party sub-CAs,” Marsh Ray, a researcher and software developer at two-factor authentication service PhoneFactor, wrote in the Mozilla debate.

“When I read Mozilla’s policy, and the CA/B Forum baseline requirements, I see enough wiggle room in there that someone might plausibly claim that some agreed-upon scenarios for MitM certs was not prohibited by the agreement. In fact Geotrust was openly advertising a ‘Georoot’ product on their website until fairly recently.

“Those who are advocating Trustwave’s removal from the list would seem to be of the belief that Trustwave was somehow alone in this practice. As I do not hold that belief, I think it would be a mistake to continue to threaten Trustwave and discourage other CAs from coming forward at this time.”

Next page: Trustwave fights backs

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/14/trustwave_analysis/