STE WILLIAMS

BT is working with Scotland Yard in an effort to crack down on metal theft, which the Met said costs taxpayers £700m per year – not to mention the misery when power and telecoms cabling is nicked.

A group – dubbed the Waste and Metal Task Force – has been formed, made up of the Metropolitan Police Service; representatives from BT; and members of the environmental crime unit at Bexley council, which has a large number of scrap metal dealers.

“Metal theft is not a victimless crime but is causing increasing misery to commuters and householders, and costing millions to the rail industry and local authorities,” said Chief Superintendent David Chinchen, who led Scotland Yard’s Operation Ferrous, which is the Met’s investigation into metal theft.

“Our latest operation aimed to identify, disrupt and deter those involved in this illegal trade, and acted as an important intelligence-gathering exercise for future operations so that we can target those evading the law and those who supply them even more effectively,” he added.

“We are keen to work with legitimate scrap metal dealers, but those who aren’t can expect to see regular enforcement. These crimes are covered by a complex range of laws, thus a multi-pronged approach is essential in order to tackle it robustly and we are already working closely with our partner agencies.

Scotland Yard cop inspects stolen copper

“Our officers will employ a wide range of robust tactics and we plan to run regular operations to crack down on those seeking to profit, and who end disrupting other’s lives and putting their own at risk.”

The investigation uncovered £16,000-worth of BT cable and copper earthing straps stolen from a National Grid sub-station in Bexley borough alone.

Scotland Yard said that one of the illegal tricks employed by metal thieves involved setting up around a manhole cover while wearing fake BT vests and carrying false BT passes. The Met added that this is clearly a shady affair, however, as BT always hires sub-contractors to recover the national telco’s underground cable.

“In September 2011, four men were arrested in Lambeth using two bogus BT trucks, a BT van and a winch to steal underground cable,” the Met said. “The same team are believed to be responsible for cable cuts across London and Essex in recent months.”

The Yard added that a single piece of copper cable nicked from an underground telephone network could knock out the landlines to more than 200 homes and businesses for up to three days at a time.

Fibre-optic cable is often damaged by thieves who try to get their hands on copper, which typically uses the same infrastructure. However, fibre is worthless to criminals. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/20/bt_met_police_copper_theft/

Cybercrooks may be able to force mobiles to send premium-rate SMS messages or prevent them from receiving messages due to security weaknesses in mobile telecoms standards.

The weakness involves the handling of messages directed towards SIM Application Toolkits, applications preloaded onto SIM cards by mobile operators. The applications can be used for functions such as displaying available credit or checking voicemail, as well as handling value-added services, such as micro-payments.

SIM Toolkits receive commands via specially formatted and digitally signed SMS messages. These messages are processed without appearing in a user’s inbox and without triggering any other form of alert. Some mobiles may wake from a sleeping state on receipt of such messages but that is about all that’s likely to happen.

The encryption scheme deployed is robust but problems might arise because error messages are automatically sent out if a command cannot be executed. The SIM Toolkit service message can be configured so that responses are made via SMS to a sender’s number or to the operator’s message centre. This creates two possible attack scenarios.

In the first case, an attacker might use an SMS spoofing service to force the dispatch of an error message to a premium-rate number, potentially ringing up fraudulent charges against the account of a targeted phone owner in the process.

Attackers can’t control the content of the automatic error responses, a potential stumbling block when it comes to signing up people up for these services simply because they’ve sent a message, but it’s easy to imagine this tactic will be effective enough times to make it potentially workable. A premium-rate number is restricted to signing up people to its services only in response to properly formatted requests rather than an any old message.

In the second case, an SIM Toolkit error message is sent to the operator’s message centre, and this is interpreted as a message delivery failure. Operators usually attempt to resend the undelivered message: creating an error loop that prevents the delivery of legitimate SMS messages to a user’s handset until a bogus SIM Toolkit message times out, typically after 24 hours or so. Because of this, sending a series of bogus SIM Toolkit messages creates a means of running an SMS DoS attack.

Independent security researcher Bogdan Alecu gave a presentation explaining the security shortcoming, and demonstrating how it might be exploited, at a recent DeepSec security conference in Vienna, Austria.

Alecu tested the attack against phones from Samsung, Nokia, HTC, RIM and Apple. Only phones from Nokia have the option to ask users before confirming the dispatch of an SIM Toolkit response. However the the option “Confirm SIM Service Actions” is usually disabled by default. Operators could mitigate the attack by filtering SIM Toolkit messages and whitelisting numbers that are allowed to send them. However Alecu said he is yet to encounter an operator that applies such controls, even after testing the attack on mobile operators in Romania, Bulgaria, Austria, Germany and France, IDG reports.

The vulnerability was reported by Alecu to the Computer Emergency Response Team and a vulnerability number has been allocated but there are no details on when a fix might be produced. Alecu said that the issue is more easily addressed by filtering by operators than by trying to update millions of handsets anyway. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/20/sim_toolkit_attack/

Atari has apologised to gamers following a security breach that exposed their names and email addresses, leaving users at heightened risk of spam as a result.

The gaming outfit blamed the fairly minor breach (no credit cards or mobile phone numbers were exposed) on problems introduced during a migration to a new cloud-based server platform. The breach came to our attention via an Atari email (extract below) forwarded by Reg reader Troy, who commented: “Well, this sounds like fun, might explain all the recent spam I have been getting”.

Atari has discovered that some information that you provided to Atari when you registered on our site was recently able to be viewed publicly. The information that was viewable was your name and e-mail address.

This occurred when an outside contractor working on our website created some spreadsheets related to registered users. The spreadsheets were maintained on a database hosted on a cloud server that crashed.

When the server was brought back up online, the firewall around the database was inadvertently not re-established. As a result, there was an approximate three week period of time when names and e-mail address were able to be found and viewed online.

A registered user brought this to our attention and within 24 hours the database was removed from the internet and could not be seen by anyone. Atari takes very seriously the privacy of its registered users.

Atari is implementing new protocols to further assure the privacy of user data. If you have any questions, please contact Atari at [email protected]. Atari is grateful for its registered users’ interest in our products and looks forward to continuing to provide interesting and useful information about our games and products to you in the future.

Separately games developer Square Enix admitted over the weekend that it had lost up to 1.8 million user data records to attackers including names, addresses and phone numbers following a hack attack on its website. Personal details of gamers in the US and Japan spilled as a result of the breach at Square Enix, which thankfully also didn’t involve credit card details.

The incidents are just the latest in a seemingly never-ending line of security flaps involving gaming firms this year. The most notorious of these breaches led to the weeks-long suspension of Sony’s PlayStation Network back in April.

Chris Boyd (AKA Paperghost), an avid gamer and security consultant at GFI Software, told El Reg that “games companies are still providing a juicy target” for hackers and other ne’er do wells.

“Gamers should be continue to be wary with regards what information they give to games companies as the massive amount of information these companies collect is proving too valuable a target to resist,” he warned. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/20/atari_gaming_security_fail/

Fraudsters have hit gold after they managed to successfully plant an iPad-themed scam on the Facebook fan page of Lady Gaga.

The page has 45 million fans, so only a minute percentage need to click for scammers to tap into an Xmas-themed windfall. The bogus messages claim the pop-star is running an iPad competition on the back of some sort of marketing deal with Apple.

Fans are invited to sign up to the competition for a chance to win a supposed “Lady Gaga Edition iPad”.

“The webpage users were directed to was hosted on the free blogspot service, and has since been removed. Anyone who clicked on the link, and filled in online forms, may have unwittingly handed their personal information to scammers and potentially helped them earn revenue by completing online surveys,” net security firm Sophos reports.

The scam message was pulled an hour after it first appeared, limiting the potential for damage. Even so records show that more than 120,000 people clicked on the offending link.

The Facebook pages of the bands Maroon 5 and Blink 182 were also reported as having been hit by similar scams.

Survey scams have been endemic on Facebook for months. Marks are invited to fill in worthless surveys, earning scammers a commission in the process, in exchange for the supposed opportunity to participate in prize draws. In many cases marks are induced to sign up for premium rate SMS services of dubious utility. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/19/ipad_scammers_pwn_lady_gaga/

Adobe has released updates for its Reader and Acrobat applications that fix two vulnerabilities that attackers were exploiting to seize control of Windows-based machines.

Version 9.4.6 of the programs fix two memory-corruption bugs that Adobe says are “being actively exploited in limited, targeted attacks in the wild” against machines running Windows. The same bugs are present in Mac and Unix versions of the applications, but there are no reports of machines running them being exploited. The bugs are also present in Reader X for Windows, but a security sandbox, which Adobe added last year to minimize the damage that results from code flaws, prevents the attacks from working.

As a result, those versions will be updated next month, during a regularly scheduled patch release.

Adobe warned of the attacks earlier this month in an advisory that credited military contractor Lockheed Martin and the Defense Security Information Exchange. A day later, researchers from antivirus provider Symantec warned that email-born attacks exploiting the flaw to install the Backdoor.Sykipot were detected as early as November 1. The vulnerability in the U3D, or Universal 3D, file format is identified as CVE-2011-2462.

On Friday, Adobe said a second vulnerability – in an RPC, or remote procedure call, component – was also under attack. It’s identified as CVE-2011-4369. Adobe representatives provided no other details of the vulnerability, except to say they are “only aware of one instance” of it being used. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/17/adobe_reader_critical_update/

The makers of the controversial smartphone app Carrier IQ have reportedly been quizzed by federal regulators over concerns that its technology tracked user activity and uploaded data to mobile operators behind the back of consumers.

The Washington Post reports that senior Carrier IQ execs have met with representatives from US consumer watchdog The Federal Trade commission and staff from the Federal Communications Commission (FCC) to explain its position. Controversy over Carrier IQ’s mobile network diagnostic tool reignited earlier this week after it emerged, via freedom of information requests, that the FBI is using data captured by the app.

The FBI denies asking for data obtained by Carrier IQ’s software, at least directly. It seems that information snaffled by the utility was handed over by carriers in response to lawful interception requests, The Guardian reports.

Carrier IQ said it had sought meetings with regulators in order to allay possible concerns and defuse privacy fears. It denies being hauled in as part of a more formal investigation.

“Carrier IQ sought meetings with the FTC and FCC to educate the two agencies… and answer any and all questions,” Andrew Coward, the senior vice president for marketing, told the Post. He added that he was unaware of any official investigation into the firm.

Coward met FTC and FCC staffers alongside Carrier IQ chief executive, Larry Lenhart, as well as congressional staff. US senator Al Franken wrote to Carrier IQ last month soon after the controversy about its technology first emerged.

Security researcher Trevor Eckhart was the first to raise concerns about Carrier IQ’s technology. After initially serving Eckhart with a cease and desist letter the firm has since come around and explained how its technology operates in a way that has defused many of the original concerns. It’s not a mobile rootkit or keylogger, contrary to initial reports and descriptions of the technology by Google’s chairman Eric Schmidt, respectively. However transparency and privacy issues remain valid concerns.

Carrier IQ explained earlier this month that its technology is only designed to diagnose operational problems on networks and mobile devices, such as dropped calls, data transmission speeds and battery life. “While a few individuals have identified that there is a great deal of information available to the Carrier IQ software inside the handset, our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video,” it said (PDF statement here).

Actually that last bit turns out to be not entirely true because the software firm was obliged to admit that a security bug meant its application did collect the contents of SMS messages in some circumstances. An SMS message would get embedded in signalling if, for example, a user received a message during a call. The data would be encoded and not easily readable by a human, as explained in a blog post by Kaspersky Lab’s Threatpost blog here.

Smartphone manufacturers and US network providers confirmed that phones and networks using Carrier IQ technology include Apple, ATT, Sprint, HTC, Samsung and T-Mobile. The formerly obscure software runs on more than 141 million handsets, according to stats prominently displayed on Carrier IQ’s site.

Apple is reportedly going to use a future software update to remove the unholy utility from Jesus phones, where diagnostic reports generated via the software are only sent back with the permission of users. The technology is even more deeply embedded in Android smartphones. Users have the ability to detect the app using third-party detection tools from anti-virus firm but don’t have the ability to actually remove it.

Comment

None of this is what you’d call terribly reassuring but we’re still inclined to believe, as Carrier IQ insists, that its technology is not designed as a tool for lawful interception but as a means for carriers to diagnose handset and network problems. Each implementation is different and so the diagnostic information actually gathered by Carrier IQ’s technology varies between different mobile operators. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/15/carrier_iq_privacy_latest/

A consortium of companies has published a set of security practices they want all web authentication authorities to follow for their secure sockets layer certificates to be trusted by browsers and other software.

The baseline requirements (PDF), published this week by the Certification Authority/Browser Forum, are designed to prevent security breaches that compromise the tangled web of trust that forms the underpinning of the SSL certificate system. Its release follows years of mismanagement by individual certificate authorities permitted to issue credentials that are trusted by web browsers. Most notable is this year’s breach of DigiNotar, which led to the issuance of a fraudulent certificate used to snoop on 300,000 Gmail users in Iran.

The four dozen or so members of the CAB Forum still have a way to go, since their requirements are meaningless unless they are mandated by the software makers who place their trust in the authorities.

And it’s not yet clear that will come to pass. Of the five browser makers queried for this article, only Opera has committed to make compliance with the requirements a condition for including an authority’s root certificate in its software. A Mozilla official, meanwhile, said only that the requirements would be discussed among developers in online forums.

A Microsoft statement said the company “will work with the industry Auditors and Certificate authorities to get the new guidelines factored into the Microsoft Root Program.” Company representatives didn’t respond to an email asking what that means. A Google spokesman said Chrome trusts whatever CAs are trusted by the underlying operating system. Representatives from Apple didn’t respond to emails seeking comment.

As the terms suggest, the baseline requirements would serve as a set of industry practices each CA would be required to follow to remain in good standing. Among other things, they would require them to “develop, implement, and maintain a security plan” to prevent the types of breaches that hit DigiNotar. The guidelines also mandate the reporting of breaches and the revocation of any fraudulently issued certificates that resulted, and require the use of certificates with RSA signing keys of 1024 bits or higher.

As useful as each requirement is, this week’s release only underscores how hopelessly broken the SSL system is. With some 650 entities around the world authorized to issue certificates trusted by Internet Explorer, Chrome, Firefox, and other browsers, all it takes is the incompetence or malfeasance of one of them to bring the entire system down. Even if the requirements become a condition adopted by all browser makers, it’s not clear they have the will or the ability to adequately enforce the measures.

With the cracks in the net’s foundation of trust too big to ignore, a variety of alternatives are competing for attention. Among the most appealing is the Convergence project devised by security researcher Moxie Marlinspike, which relies on a loose confederation of notaries that independently vouch for the authenticity of a given SSL certificate.

In addition to removing trust in an unwieldy number of CAs, this crowd-sourcing approach has huge privacy benefits, since notaries are intentionally kept in the dark about what sites a given IP address is accessing. Under the current SSL system, CAs get to log each visit an IP address makes to an HTTPS page protected by one of their certificates.

Other alternatives include a plan Google researchers published late last month. It would require all CAs to publicly disclose the cryptographic details of every certificate they issue so the credentials can be publicly verified. The proposal, which is in many respects similar to an alternative recommended by the Electronic Frontier Foundation, has already been criticized by some CAs, who object to publishing what they consider to be proprietary information.

With banks, merchants, and millions of other organizations using the SSL certificates to prove they’re the rightful owners of websites, and to encrypt data passing between their servers and end users, it’s hard to overstate the system’s importance. This week’s requirements probably won’t hurt, but it’s doubtful they’ll do much to fix the structural flaws that put us all at risk. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/17/ssl_certificate_security_requirements/

A hacker has published code for potent cross-site scripting attacks that he claims go beyond the usual cookie stealing and phishing for users’ private details.

Cross-site scripting (XSS) flaws allow attackers to present content under their control in the context of a vulnerable yet trusted site, thus tricking marks into handing sensitive information to miscreants. As well as creating a means to present pop-ups that link to a hacker-controlled site, XSSes can also lead to cookie theft.

Niklas Femerstrand is the hacker who in October 2011 discovered that a debugging tool on the American Express website was vulnerable to an XSS flaw. He developed an “XSS on steroids” script while researching a similar flaw on the website of an unnamed Swedish bank.

“There are common myths about XSSes saying they can only be be used for phishing and cookie harvesting,” he said. “My code bursts those myths and is so the first way of transforming a ‘non persistent’ XSS into a persistent state.”

“I have written self-aware code that recognizes its own presence and makes a local infection of its own payload into all links of a website presented to the infected visitor. This way the non-persistent XSS becomes persistent to the infected user. It also follows the user through page forms and sends interesting data to the attacker (usernames, passwords, credit card info),” he added.

Femerstrand last week published his attack code on his website here.

Rik Ferguson, director of security research and communication at Trend Micro, confirmed that the script developed by Femerstrand represents a more potent form of XSS but questioned if it was as innovative as the hacker claims. Ferguson said the technique used by Femerstrand has actually been around for a while and was implemented as a part of beefproject.com.

In response to this point, Femerstrand said: “I’ve heard of BeEF before but only taken quick looks. I did not know that they had implemented the same technique and didn’t find any whitepaper or similar about it. I saw their keylogging feature couldn’t separate input fields from each other and instead of logging only what’s being posted logs everything typed on the page. I never tried BeEF myself, but personally I think it looks a little bit too bloated.”

He said the rationale for publishing his attack code as a way of exposing what he argues is the inadequate security of banking institutions.

“The code was originally written as a proof of concept of how easy it is to rob a bank in modern times,” he said. “The way I see it the public is being ridiculed by financial institutions. There’s a huge security theater being performed by financial institutions. The public sees the PCI DSS standard and believes that the banks are doing a great job, but in the end of the day the only practical thing coming out of those standards are ‘verified by ourselves’ stamps of approval and 4 digit numeric PIN codes.”

“The modern banks know that when their business fails the government will be all over them with free money from bailouts. I think it’s beneficial to expose, not necessarily a whistle-blown ‘truth’, but the practical meaning of financial security,” Femerstrand added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/16/potent_xss_script/

Police across Europe have arrested 112 suspected members of a child abuse ring.

The suspects allegedly used the net to share depraved images and homemade videos depicting children and even toddlers being sexually abused and raped. A crackdown operation, co-ordinated by European police agency Europol, launched raids in 22 countries. Nineteen people were arrested in Denmark alone.

A massive 29 terabytes of data, featuring 9,000 hours of high-definition video, was seized from one Danish suspect alone.

The raids were carried out as part of Operation Icarus, an ongoing police investigation that is likely to result in further arrests. In a statement, Europol said investigators had identified a total of 269 suspects.

Operation Icarus is the first operation to conclude under the auspices of the new action plan of the COSPOL Internet Related Child Abuse Material Project (CIRCAMP), an initiative by EU police chiefs led by Belgium and backed by the European Commission. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/16/operation_icarus_child_abuse_arrests/

Alleged Wikileaks cables source Private Bradley Manning will not get an unbiased military trial unless the officer presiding over his case is replaced, said Manning’s defence lawyer David Coombs today.

The brief was speaking at a preliminary hearing in the military base of Fort Meade, Maryland, according to the Associated Press news wire.

The investigating officer Lt. Col. Paul Almanza presides over military trials as a judge or jury would in a civilian trial. Coombs claimed in court that Almanza’s other day job as a Justice Department prosecutor made him biased – said department is in the middle of holding an investigation into WikiLeaks founder Julian Assange. Almanza, who is an Army reservist, said he hasn’t formed an opinion about Manning’s guilt or innocence.

Today’s proceedings, officially known as an Article 32 hearing, are intended to test the evidence before the court determines whether or not Manning should face a court-martial; both the prosecution and defence make their initial cases and are permitted to cross-examine witnesses. The defence team asserts that the documents have caused little damage.

The prosecution today brought 23 charges against Private Bradley Manning.

The 23-year-old has been in jail since May 2010 when he was arrested on suspicion of endangering national security by allegedly leaking thousands of confidential government and military documents to Wikileaks, including a video of a US helicopter raid that killed 11 people. He was arrested after allegedly confiding in an ex-hacker. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/16/bradley_manning_trial/