STE WILLIAMS

A group of English and Canadian researchers has cast doubt on the nascent push to develop device-independent quantum cryptography standards, asserting that such schemes could be undermined by malicious vendors.

Their paper, Prisoners of their own device: Trojan attacks on device-independent quantum cryptography, is published on Arxiv.org, here.

The paper outlines scenarios which the authors say would be undetectable to the user, but would allow the attacker to obtain sufficient information to snoop on supposedly “uncrackable” quantum cryptography.

The paper, authored by London University mathematician Jonathan Barrett, Roger Colbeck of Canada’s Perimeter Institute of Theoretical Physics, and Adrian Kent of Cambridge’s Centre for Quantum Information and Foundations, states:

“A malicious manufacturer who wishes to mislead users or obtain data from them can equip devices with a memory [El Reg – to clarify, in our reading this refers to a memory included in the devices specifically for attack purposes] and use it in programming them.

“A task is potentially vulnerable to our attacks if it involves secret data generated by devices, and if Eve [El Reg – ie, the attacker] can learn some function of the device outputs.”

Their analysis gives rise, for example, to a scenario in which the attacking equipment might store key exchange communications from “day 1”, use this to analyse the key exchange taking place on “day 2”; and use this to extract the “day 1” key.

This is supposed to be impossible, since any tampering with the quantum communication channel should be revealed – for example, as (entanglement-destroying) noise on the quantum channel.

However, as the authors point out, all real-world channels contain noise; to overcome this, quantum crypto schemes exchange multiple pairs over a noisy channel, and use a statistical analysis to detect interference in the channel.

The malicious manufacturer, however, should be able to conceal its activities below the noise threshold the system uses to decide that the channel remains secure. The attacker could even build systems whose actual noise levels are lower than claimed, and use the gap between specified and real noise to conceal their activity.

If not addressed, the authors say the flaws they have identified effectively turn QKD devices into a “use once” proposition: you can only guarantee security for the first exchange, so the device has to be disposed of. ®

Comment: Before the world proclaims “quantum crypto not secure!” in headlines (too late? Oh well…) El Reg would make a couple of observations.

First, the malicious manufacturer is not a quantum-specific threat: backdoors can be just as easily inserted into classical cryptography kit.

Second, this paper is presenting a discussion not on any mass-deployed system, but on proposed schemes for device-independent QKD. Device independence has come to the fore chiefly because of prior demonstrations suggesting that today’s implementations have exploitable flaws; as a result, there has been ongoing discussion as to how users might verify the security of a quantum communication without knowing anything about the equipment used to create that channel.

For those interested in the kinds of schemes they believe could be compromised, the article cites some key papers on Arxiv, such as:

Security and composability of randomness expansion from Bell inequalities.

Certifiable quantum dice or, testable exponential randomness expansion.

Device-independent randomness expansion secure against quantum adversaries.

Third, the authors do not claim to have actually built a working proof-of-concept: their paper is a discussion of how a malicious system may be designed; it’s been published on Arxiv for review, and El Reg would expect a veritable feast of future papers for quantum crypto enthusiasts. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/29/quantum_key_schemes_vendor_mitm/

Three high school juniors have been arrested after they devised a sophisticated hacking scheme to up their grades and make money selling quiz answers to their classmates.

The students are accused of breaking into the janitor’s office of California’s Palos Verdes High School and making a copy of the master key, giving them access to all the classrooms. They then attached keylogging hardware to the computers of four teachers, and harvested the passwords needed to access the central files of the school network.

They then used that access to change their grades slightly, nudging them up by increments so that all three got As. At the time they were caught, keyloggers were found on three other teachers’ systems, indicating the group was expanding its efforts.

“They were pretty smart,” Palos Verdes Estates police Sgt. Steve Barber told the Daily Breeze. “They knew exactly what to do with the computers. The scores wouldn’t go up a whole lot, but enough to change their grade. They didn’t want to make it real apparent something was going on.”

The three didn’t just confine themselves to computer hacking. They’re also accused of using the master key to pilfer around 20 tests before they were given – they then worked out the answers and sold them to other students. This scam only came to light when another student heard of the offer and snitched to the school principal.

“They were very bright kids,” said Principal Nick Stephany. “They were in AP and honors classes. Am I shocked? Yeah. Definitely by the extent of it. None of these kids had any real trouble before.”

Two students have been expelled over the incident, and others are to be disciplined for receiving stolen goods. The school has also upgraded its security and has advised teachers to change their passwords. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/27/students_hack_teachers_computers/

Facebook and US state of Washington have filed lawsuits against marketing firm Adscend Media over alleged clickjacking and spam practices, as the social networking giant finally gets tough with scammers operating on the site.

The lawsuits were filed against the co-owners of Delaware-based Adscend in the US District Court in Seattle (PDF) and a federal court in the Northern District of California. They allege violation of the CAN-SPAM Act which prohibits the sending of misleading electronic communications. Adscend was fingered for clickjacking and other scams which netted its owners up to $1.2m a month at their height.

Such scams on Facebook work by luring the user into clicking on a link with the promise of viewing some particularly shocking or salacious content, like a semi-naked celebrity or an animal with two heads.

Before the user can view the content, however, they are asked to complete an online survey where they will be encouraged to fill in their personal information, or they could be persuaded to sign up to an expensive mobile service.

In the specific case of clickjacking, also known as likejacking, they will also be tricked into clicking on a hidden ‘Like’ button which then spams the scam out to all of their friends.

“We don’t ‘like’ schemes that illegally trick Facebook users into giving up personal information or paying for unwanted subscription services through spam,” said Washington State attorney general Rob McKenna.

“We applaud Facebook for devoting significant technical and legal resources to finding and stopping scams as soon as possible – and often before they even start. We’re proud to join forces in order to protect Washington consumers.”

Facebook also issued a strongly worded statement following the joint press conference the two scam-busting parties held at the social networking firm’s Seattle office.

“Facebook’s security professionals have made tremendous strides against this particular form of attack and we are intent on eradicating it completely. We will continue to use all tools at our disposal to ensure that scammers do not profit from misusing Facebook’s services,” said the firm’s chief litigator, Craig Clark.

Despite the tough talk, however, Facebook hasn’t often used the significant bundles of cash at its disposal to pursue scammers through the courts.

A notable exception came in October 2010, when a federal court awarded it a massive $360.5m in a case against prolific spammer Philip Porembski. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/27/facebook_sues_marketing_firm/

Senior judges have set a timetable to speed up resolution in the long-running Gary McKinnon extradition case, effectively setting a deadline for the Home Office to respond to evidence that McKinnon is too infirm to withstand the stress of a US trial and likely imprisonment over alleged Pentagon hacking offences.

The case was listed for a full hearing in July after two judges (Lord Justice Richards and Mr Justice Cranstone) heard that the Home Secretary Theresa May was still considering medical evidence that Asperger’s sufferer McKinnon would be a suicide risk if extradited to the US to face charges of hacking into US military computers back in 2001 and 2002.

Edward Fitzgerald QC, representing McKinnon, said that there would be no need to stage further hearings in the case if May ruled in McKinnon’s favour.

Fitzgerald said the medical evidence showed McKinnon was “suffering from a serious mental disorder and there is a serious risk of suicide if extradited”.

“We hope it will never come back to court,” he said. Arguments were also advanced that McKinnon ought to be allowed to complete his current treatment programme irrespective of what happens in the extradition proceedings against him.

McKinnon, 45, admits hacking into US government systems during 2001 and 2002 to look for evidence of UFOs but denies causing any damage. He was first arrested by detectives from the former NHTCU in 2002, long before extradition proceedings began in 2005. Subsequent legal proceedings have included appeals in the case all the way up to the House of Lords as well as a set of three judicial reviews into the handling of the case by ministers and others.

The Scots-born hacker’s family and friends have long called for him to be tried in the UK, if anywhere. The Free Gary campaign has become a cause célèbre over the years, attracting the support of musicians, politicians and other public figures. The campaign focused attention on US-UK extradition requirements, which critics argue are unfairly biased because US extradition requests need not be accompanied by any evidence. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/27/timetable_mckinnon_case_resolution/

CPDP Privacy advocates have expressed concern about Brussels’ Commissioner Viviane Reding’s decision to leave in place the Safe Harbour framework used by some companies to transfer data from Europe to the US.

The EC’s vice president tabled her draft bill for the overhaul of the EU’s 1995 data protection law on Wednesday.

However, critics have questioned how the Safe Harbour scheme can remain workable within the wider context of the commissioner’s DP legislation proposals.

EU data protection laws currently state that organisations must tell people when they are asked to disclose their personal information. Some companies that meet the requirements of Europe’s DP directive are allowed to transfer EU data to the US.

Microsoft is one of them.

Reding’s proposals state:

Article 41 sets out the criteria, conditions and procedures for the adoption of an adequacy decision by the Commission, based on Article 25 of Directive 95/46/EC. The criteria which shall be taken into account for the Commission’s assessment of an adequate or not adequate level of protection include expressly the rule of law, judicial redress and independent supervision. The article now confirms explicitly the possibility for the Commission to assess the level of protection afforded by a territory or a processing sector within a third country.

Article 42 requires for transfers to third countries, where no adequacy decision has been adopted by the Commission, to adduce appropriate safeguards, in particular standard data protection clauses, binding corporate rules and contractual clauses. The possibility of making use of Commission standard data protection clauses is based on Article 26(4) of Directive 95/46/EC. As a new component, such standard data protection clauses may now also be adopted by a supervisory authority and be declared generally valid by the Commission. Binding corporate rules are now specifically mentioned in the legal text. The option of contractual clauses gives certain flexibility to the controller or processor, but is subject to prior authorisation by supervisory authorities.

Article 43 describes in further detail the conditions for transfers by way of binding corporate rules, based on the current practices and requirements of supervisory authorities.

Article 44 spells out and clarifies the derogations for a data transfer, based on the existing provisions of Article 26 of Directive 95/46/EC. This applies in particular to data transfers required and necessary for the protection of important grounds of public interest, for example EN11 EN in cases of international data transfers between competition authorities, tax or customs administrations, or between services competent for social security matters or for fisheries management. In addition, a data transfer may, under limited circumstances, be justified on a legitimate interest of the controller or processor, but only after having assessed and documented the circumstances of that transfer operation.

Article 45 explicitly provides for international co-operation mechanisms for the protection of personal data between the Commission and the supervisory authorities of third countries, in particular those considered offering an adequate level of protection, taking into account the Recommendation by the Organisation for Economic Co-operation and Development (OECD) on cross-border co-operation in the enforcement of laws protecting privacy of 12 June 2007.

Ron Zink, who is Microsoft’s EU affairs COO, told a panel at the Computer, Privacy Data Protection conference in Brussels today that he hoped that the “Safe Harbor framework is alive and well and would continue.” He added, “I hope it continues to be an adequate mechanism for the transfer of data between the US and EU.”

But Walter Van Holst of the European Digital Rights group, who was also present on the panel, retorted that the scheme was “a compromise that just doesn’t work”.

He added that “Safe Harbor is dead. We just forgot to bury it.”

Zink insisted that “Safe Harbor was alive and well,” however.

A representative for the European Commission told the audience that it would report on the Safe Harbor framework in the coming months.

Van Holst said that the “export of personal data” remained “poorly enforced” and added that it was “detrimental to European companies”.

He added: “Talks about data being offshored in places outside the current scope of the Directive hurts European companies,” he claimed.

‘Aspirational rules’

More generally, Zink reaffirmed comments he made earlier this week about the need for “harmonisation” of data-handling on both sides of the Atlantic.

He has expressed some concerns about the proposed reform of DP law in the EU. Specifically, on how the so-called “Right to be forgotten” online can be adequately addressed and the need not to be too overly prescriptive with the reform.

“It’s easy to criticise a monumental task like this. It’s complex: everyone’s looking.” He added: “With cloud computing we’re moving data around the world”.

“The fact that this is a regulation that harmonises is very good.”

Zink also said that “improvements” had been made to how data is transferred around the world and added that contractual clauses detailed in Article 42 of the draft bill “could be helpful”. He added that consent from an individual about usage of their data needed to be “explicit”.

The MS exec said that Reding’s proposed rules on data protection were “aspirational”. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/27/microsoft_cpdp_data_protection_planned_eu_reform/

Google is insisting that its new privacy policy will still give its users control, after criticism in a letter from US members of Congress.

The lawmakers wrote to Google to express concern that users wouldn’t be able to opt-out of the new data sharing system when using Chocolate Factory products.

“We believe that consumers should have the ability to opt out of data collection when they are not comfortable with a company’s terms of service and that the ability to exercise that choice should be simple and straightforward,” the letter said.

Google already said when introducing the new privacy policy that it wanted to make privacy across its products easier and clearer.

“Our new Privacy Policy makes clear that, if you’re signed in, we may combine information you’ve provided from one service with information from other services. In short, we’ll treat you as a single user across all our products, which will mean a simpler, more intuitive Google experience,” the Chocolate Factory’s official blog chirped on Wednesday.

The policy looked to many commentators like Google would collect data on users whatever they surfed and whenever they used their phone and use it to target advertising and search results to them.

The US politicos said they were worried that some Google products and services are more hidden, so users might not necessarily know what data was being linked to them and that most products can’t be used without logging in.

“What are the names of all of the Google products and services? For each product, are you able to use that product without logging in?” the letter demanded.

They also have bees in their bonnets about Android phones, which usually require a Google account of some description.

“Please explain exactly how a user of an Android phone will be affected by Google’s new policy? Is there any ability for users to opt-out, other than not purchasing and using an Android phone?” the letter asked.

Congressman Ed Markey, one of the signatories to the letter, said on his website that he was particularly worried about how the new policy would affect young people.

“Googling is like breathing for millions of kids and teens – they can’t live without it,” he said.

“Google’s new privacy policy should enable consumers to opt-out if they don’t want their use of YouTube to morph into YouTrack.”

Markey also questioned if what Google was doing was a violation of a settlement with the Federal Trade Commission. Last March, Google and the FTC reached an agreement after the rollout of the short-lived Buzz social network that required the firm to seek consent if it gathered information under one privacy policy but then changed that policy.

“Consumers – not corporations – should have control over their own personal information, especially for children and teens. I plan to ask the FTC whether Google’s planned changes to its privacy policy violate Google’s recent settlement with the agency,” Markey said.

The Chocolate Factory took to its blog again following the letter to defend the new policy.

“A lot has been said about our new privacy policy,” policy manager Betsy Masiello said. “Some have praised us for making our privacy policy easier to understand. Others have asked questions, including members of Congress, and that’s understandable too.”

“So here’s the real story, you still have choice and control.”

The posting then went on to answer some of the questions from the letter.

Google said that there was no need to log in to use a lot of its products, including search, maps and YouTube, and even when users were logged in, they could use privacy tools like ‘incognito’ to control their private data.

The search giant also said that it wasn’t going to collect more data about its users, and it was just trying to “make things simpler”. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/27/google_privacy_policy_concern/

Fake anti-virus scams are on the wane but drive-by-download threats have rocketed over the past year thanks to the hugely popular Blackhole crimeware kit, while Conficker remains prolific some three years after its release, according to Sophos.

The UK-based security vendor said in its Security Threat Report 2012 (PDF) released today that fake AV levels were 50 per cent lower at the end of 2011 than they were at the start of the year.

Vice president of SophosLabs, Mark Harris, told The Register that although fake AV levels had dropped, it was still the second-most common threat. He said it may just be experiencing a blip as a result of the FBI’s raid on a prolific scareware gang and the arrest of the co-founder of dodgy Russian payment firm ChronoPay in June.

“It’s a dip but they will adapt and move onto other mechanisms. We’ve already seen a technique in Russia where users are encouraged to download an application for free but in order to complete the process they have to text a premium SMS number,” he explained.

“It’s a new trend we’ve seen over the past couple of months and is an example of how malware authors are adapting to get payments another way.”

Drive-by downloads have now become the number one web threat, Sophos said. Ten per cent of threats are now exploit sites, with two-thirds of these the result of popular crimeware kit Blackhole, which generates polymorphic, obfuscated malware that is difficult to detect.

Typical payloads generated by Blackhole include rootkit droppers, fake AV and malware to turn infected machines into botnets, while Java, Flash and PDF vulnerabilities are among the most commonly targeted.

“I fully expect drive-by-downloads to grow this year. It’s partly about end user education filtering through,” said Harris.

“The spam emails the cyber criminals sent with malicious attachments were working but users are now getting more sophisticated and suspicious so they’re forced to move to other techniques. It’s harder for the criminals because once the infection is found the website can be blocked.”

Surprisingly, Sophos also revealed in the report that old timer Conficker is still causing mischief over three years after it was released into the wild. According to the vendor it is the most commonly encountered piece of malware, representing 14.8 per cent of all infection attempts.

Conficker’s continued survival is a result of its aggressive propagation capabilities compounded by poor basic security measures such as patching, and a less than rigorous approach to managing removable and mobile devices, said Harris. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/26/sophos_fakeav_conficker/

Fuming Virgin Media customers have taken to the telco’s forum to complain that their email addresses have been used by Google, instead of being kept private.

The customers got a surprise email from Google today, who seemed to think they were all users.

The Chocolate Factory is in the middle of updating its users about its new privacy policy, which will mean that Gmailers surfing the web will use other Google products in conjunction with that account whether they want to or not.

Virgin Media moved all of its subscribers onto Google’s service when it signed a deal with the company back in 2009 after getting rid of the legacy email systems left over from NTL and Telewest.

Despite this, Virgin Media customers did not expect to get emails directly from the Chocolate Factory and didn’t know that Google had access to their addresses.

Irate customers also want to know how Google’s privacy changes will affect the telco’s privacy policy.

“I realise that VM have outsourced the email service to Google but would expect significant changes in the account conditions etc to be announced by VM not by Google,” one subscriber said on the Virgin Media forum.

“I’m sure VM subcontract and outsource to hundreds of companies – nothing to do with me however, my privacy agreement etc is with VM,” another said.

Other complaining customers said they’d received the Google email to both blueyonder and virginmedia addresses.

A Virgin Media spokesperson told The Register: “Google provides our email platform and we’re aware they’ve emailed some Virgin Media Mail users directly. We’re speaking to Google to understand why.”

The telco couldn’t say at this time whether its own privacy policy was going to be affected by Google’s policy changes. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/26/google_emails_virgin_media_subscribers/

CEO Enrique Salem stands crisp and smart on the poop deck of the good ship Symantec, looking back at a straight course and ahead to more growth. It’s a pretty unexciting third quarter story really.

Third quarter revenues for the security, storage and server company were $1.75bn – 7 per cent up on a yearly comparison. Profits were $240m, up loads from the $132m recorded a year ago, an increase of 82 per cent actually, which must have made the generally imperturbable Salem feel like whooping with joy.

Symantec said: “Consumer segment revenue represented 31 per cent of total revenue and increased 5 per cent year-over-year on an actual and currency-adjusted basis.

“The Security and Compliance segment revenue represented 30 per cent of total revenue and increased 17 per cent year-over-year on an actual and currency-adjusted basis.

“The Storage and Server Management segment revenue represented 36 per cent of total revenue and increased 3 per cent year-over-year on an actual and currency-adjusted basis.

Services segment revenue represented 3 per cent of total revenue and decreased 13 per cent year-over-year … as expected due to the company’s move to a partner-led consulting model.”

Revenues for the fourth quarter are expected to be between $1.72bn and $1.73bn, increasing 2.8 to 3.4 per cent on an annual basis. Salem is probably encouraging his storage and server business execs to get that growth rate up to consumer and security and compliance segment levels. Hmm, what can they do? Buy CommVault? Get into big data more? Provide cloud storage gateway software to stop Amazon and others stealing the data protection business from underneath their noses?

Symantec’s navigators are plotting the course ahead to find good winds, safe seas and fine anchorages. The rise in governmental and corporate hacks is good news for the security software maker and indicates strong and steady growth ahead. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/26/symantec_q3_fy2012/

Anonymous took out several key Irish government websites last night and promised more disruption to come in retaliation for new SOPA-like legislation which it claimed would make it easier for copyright-holders to block access to file sharing and other sites in the country.

The hacktivist collective announced OpIreland last night, launching brief but successful DDoS attacks on the website of the Departments of Justice and Finance as well as the Freedom of Information unit and BlueBlindfold.gov.ie, which provides information on human trafficking.

The Reg is still seeking official confirmation from the Irish government on the DDoS attacks, although they were reported on thejournal.ie.

All sites are now back up and running but the hacktivist collective warned of more attacks in the future and at the time of writing is focusing efforts on taking down the website of Sean Sherlock, the junior minister who is shepherding the controversial legislative changes through.

What Anonymous and others are so upset about is a new statutory instrument – a change in Irish law that doesn’t have to be ratified by Parliament – which is set to be pushed through by the end of the month.

They claim its aim is to clarify the law to make it possible for the courts to force ISPs and other third parties to block third-party sites suspected of copyright infringement. As such, it has become known as “Ireland’s SOPA”, with over 31,000 already signing up to a petition opposing the legislation.

The clarification was deemed necessary after a previous legal dispute between the entertainment industries and Irish ISP UPC led a High Court judge to rule that there is nothing under current Irish law to force an ISP to block a website suspected of copyright infringement.

The Irish government is set to push through the changes despite a landmark ruling from the European Court of Justice in the SABAM vs Scarlet case which stated that attempts at blocking certain web content are prone to infringe on freedom of expression.

Security consultant and head of Ireland’s Computer Security Incident Response Team (CSIRT) Brian Honan told The Register that the statutory instrument is causing concern in Ireland for three key reasons. “The wording of the proposed amendments has not been made public; what we have found out is very broad and could be abused in future; and finally it’s not being debated and industry has not been consulted at all over this,” he said.

Batten down the hatches, sysadmins

Honan urged sysadmins in the country to carry out an urgent risk profile of their organisation to determine whether it could be a target of OpIreland.

“Ensure your systems are patched and up-to-date and any unnecessary services are turned off,” he advised. “Also make sure your firewalls are up-to-date and configured properly, your IDS is on and configured properly and actively monitor this and other logs for suspicious activity.”

Unsurprisingly, the controversial proposals have also drawn the anger of Irish telecoms industry association, ALTO, which argued that the “rush to shore-up a perceived legislative gap by secondary legislation” is in no party’s best interests and serves “no valid purpose”.

“ALTO further believes that the proposed wording of the draft text leaves little guidance to a court in determining what order might arise out of a successful injunction application,” it said.

Junior minister Sean Sherlock took to the airwaves to allay any fears that the new instrument could impinge on personal freedoms and harm what is a thriving web industry in Ireland.

He argued that the law was only being drafted to clarify a position already held, that copyright-holders should have the right to seek an injunction where there is a breach of their copyright. He was less clear, however, on how this could be achieved while still respecting the European SABAM vs Scarlet judgment.

“We have no intention of blocking sites, we have no intention of introducing legislation which will restrict internet freedoms; this is a liberal democracy,” Sherlock told RTE Radio 1’s Drivetime programme. “All we’re doing is giving a voice to what is a position which we felt was held in Irish law anyway.”

Michele Neylon , managing director of Irish hosting firm Blacknight, hit the nail on the head with his appraisal of the minister’s performance.

“I have very mixed feelings because I think the minister is trying his best to address the concerns that people like ourselves would have, but I also suspect he doesn’t understand the technical implications of what he’s asking,” he said on the same radio programme.

Irish lecturer and solicitor TJ McIntyre has compiled a useful FAQ on Ireland’s SOPA here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/25/opireland_sopa_anonymous/