STE WILLIAMS

Federal investigators are investigating claims that email accounts of the US bid team for the 2022 World Cup were hacked of part of an alleged dirty tricks campaign that may also have affected the 2018 bid process.

FBI agents questioned members of England’s failed 2018 bid team last month as part of a wider investigation over corruption surrounding the bid process and Fifa’s affairs more generally. No one in the England bid team is suspected of any wrongdoing, The Daily Telegraph reports.

The inquiry centres around the alleged bribery of Caribbean football officials by Mohammed Bin Hammam, who ran against Sepp Blatter for the Fifa presidency this year. Bin Hammam, a Qatari national who withdrew his bid on the eve of an ethics committee meeting in May, received a lifetime ban from Fifa after it found him responsible for offering $40,000 (£25,000) bribes to Caribbean football officials. Jack Warner, former Fifa vice president and president of the Caribbean Football Union, resigned from roles in international football after an initial Fifa inquiry implicated him in the scandal.

The award of the honour of hosting the 2018 and 2022 World Cup competitions to Russia and Qatar, respectively, have been among the most contentious in Fifa’s history. Just before the vote in October 2010 the voting right of two members of Fifa’s 24-man executive committee were suspended over allegations that they were open to selling their vote.

Much of the FBI inquiry concerns the transport of large amounts of currency through US borders, an offence if the cash is not declared. A New York-based FBI squad tasked with investigating “Eurasian organised crime” has also been taking an interest in the matter since late August.

The email hacking allegations are new and, at present at least, somewhat vague. The FBI has reportedly collected “substantial evidence” documenting efforts to hack into the emails of US bid executive, who competed alongside their counterparts from South Korea, Australia, Qatar and Japan for the right to host the 2012 edition of football’s greatest tournament.

Qatar, a small desert country in the Middle East with no football heritage and a climate wholly unsuited to the beautiful game, emerged as the surprise winner of the 2012 bid.

It’s still unclear if the tournament will be moved to winter 2012 rather than its traditional slot of June and July. The country made a poor show of hosting the much smaller Asian Cup 2011, locking 5,000 ticket-holding fans out of the final match between Japan and Australia back in January, raising yet further doubts already fuelled by its poor human rights record and even over its inability to host hundreds of thousands of visiting football fans.

Russia, by contrast, has a large and expanding fan base, a healthy national football league and a World Cup heritage.

Why hack it?

Access to the email accounts of rival bid teams would have exposed plans to canvass support and would have given unscrupulous parties a huge edge in attempting to persuade voters to side with any particular bid.

In a statement, the Russia 2018 organising committee told The Telegraph that it was unaware of any FBI investigation. “Russia 2018 will not comment on speculation: the LOC [local organising committee] has not been contacted regarding any investigation, nor have we been made aware that any such investigation exists,” it said.

“We at Russia 2018 are proud of the way we conducted ourselves throughout a long and highly competitive campaign; as an LOC, we are driven by exactly the same transparency, commitment to excellence and spirit of Fair Play that underpinned our successful bid.”

Qatar and Bin Hamman also deny allegation of corruption in desert kingdom’s World Cup bid campaign.

More commentary on the information security aspects of the FBI’s ongoing probe can be found in a blog post by net security firm Sophos here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/08/feds_probe_alleged_world_cup_bid_email_hack/

The Criminal Records Bureau (CRB) is to introduce an online status checking service for employers to verify that potential employees have been cleared for relevant jobs. It is intended to save people from having to request a new certificate every time they apply for a new role.

The move is one of the measures announced by Lynne Featherstone, the criminal information minister, in response to a review of the criminal records regime by the government’s independent advisor Sunita Mason. Featherstone said the government has accepted the majority of the recommendations and incorporated them in the Protection of Freedoms bill.

In a statement to Parliament, she said the online service is part of an effort to reduce the bureaucracy in the CRB regime. The checks are run for positions working with vulnerable people.

“We have included a provision to make the CRB process less burdensome on all concerned by introducing a new, online status checking capability that will in effect mean individuals can re-use their certificates for different employers across the same workforce and so will no longer need to apply for a new certificate every time they want to take up a new role,” she said. “This will have a positive impact on business, making it significantly easier for employers to take on staff in relevant sectors.”

A Home Office spokesman was unable to provide any further detail on how the service will work.

Other relevant features of the protection of Freedoms bill include:

• Ensuring that only relevant and accurate personal information will ever be disclosed by the police.
• The opportunity for applicants to review and, if appropriate, dispute any information held about them by the police prior to it being disclosed to an employer.
• Substantially reducing the scope of ‘regulated activity’ from which people can be barred.

The government has not accepted Mason’s call for a significant reduction in the number of people eligible for checks.

The Home Office also announced that the government will maintain the current arrangements for holding criminal records on the police national computer, while ensuring the controls on accessing those records are sufficiently strong.

This article was originally published at Guardian Government Computing.

Guardian Government Computing is a business division of Guardian Professional, and covers the latest news and analysis of public sector technology. For updates on public sector IT, join the Government Computing Network here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/08/crb_checks_to_go_online/

A Michigan appeals court is trying to decide whether the state’s anti hacking law should be invoked against a man who broke into his wife’s Gmail account to see if she was having an affair.

Leon Walker, 34, faces a maximum of five years in prison for using a shared family computer to read his wife’s personal email after she failed to return home one night. It turns out Clara Walker was indeed involved with another man, who just happened to be her previous husband.

Attorneys for Leon Walker told judges with the Michigan Court of Appeals that the law their client was charged under was ambiguous and was never intended for domestic matters. It was passed in 1979 and was designed to prevent identity and trade secret theft. They also warned if charges go forward the law could criminalize activities such as parents monitoring their children’s online activities.

Judges hearing the case, according to USA Today, didn’t sound so sure.

“Your client is being charged with security intellectual property – her email, accessing her intellectual property,” judge Pat Donofrio said.

The three-judge panel is expected to issue an opinion next year.

More coverage from The Detroit News is here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/07/cuckold_hacking_charges/

Gadget enthusiasts have produced a detailed guide on how to jailbreak BlackBerry PlayBook tablets.

A video showing the rooting of the RIM-manufactured device was published last week by the same group, without an explanation of how they did it. The new guide explains that the technique, which involves using a custom hacking tool but is otherwise pretty straightforward, takes advantage of the fact that device backups aren’t digitally signed.

This shortcoming permits the installation of the so-called DingleBerry tool needed to pull off the hack, as explained in a post by Neuralic here. Users attempting the hack need to have the beta 2.0 version of the PlayBook software installed. If successful, the hack allows consumers to install apps of their choosing from the Android Marketplace.

Neuralic warns that consumers tinker with the device entirely at their own risk. “You shouldn’t be able to do any permanent damage, but make sure to backup before playing with anything,” he cautions. “I take no responsibility for damage to your device.”

RIM is reviewing what to do following the release of the PlayBook jailbreak tool.

“RIM is aware of reports that a security researcher has released a tool designed to allow BlackBerry PlayBook users to jailbreak their tablet. RIM is following its standard security response process to investigate the functionality and impact of this tool and if needed, RIM will develop, test, and release a software update that is designed to minimize the potential adverse impact to our customers,” the firm said in a statement, Kaspersky Labs’ Threatpost blog reports.

The BlackBerry PlayBook tablet is the latest in a growing list of fondleslabs to be rooted, following hacks on the Amazon Kindle Fire and other devices before it. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/07/blackberry_playbook_jailbreak_release/

Someone in RailCorp will be nursing a bruised ego after selling a pile of USB keys lost on trains in the authority’s regular lost property auction.

It may have never raised an eyebrow, except that the keys were bought by the keen-eyed Paul Ducklin of Sophos. What Ducklin thought of as a good source of research into user habits has consequently turned into a shouting match over privacy.

Certainly Ducklin’s research into the keys he picked up at the auction reveals a nation of overconfident users. Extracting the metadata from the keys – he emphasised, both in this blog post and on the telephone to The Register that nobody at Sophos viewed any private data – he discovered that none of the keys were encrypted (or had any kind of access control enabled), and two-thirds were infected with malware.

The pervasive problem of USB data leakage also popped up, with CAD files, meeting minutes, tax deductions and the like turning up on the keys.

On its own, that would have made a story, but the second story – the bruiser for RailCorp – was that the rail authority made no attempt to wipe the keys before selling them. This is at odds with the policies that dictate that more sensitive devices like PCs and mobile phones are wiped before sale.

According to SC Magazine, this brought a slap from the NSW privacy regulator, which stated that RailCorp “should be cleaning these USBs” before sale.

The Register was also moved to wonder whether someone’s lost USB stick might not be still protected by laws protecting private data against unauthorised access.

While not a lawyer, the point hadn’t escaped Ducklin. He emphasised that in analysing the keys, Sophos didn’t open any private user files – rather, it created a script to scrape out information like filenames, and made its inferences from the filenames.

Also, under the legislation covering railway lost property, unclaimed objects eventually become the property of RailCorp. Since it, as the owner of the devices, on-sold them to Sophos, this should cover the “authorisation” question: by the time it analysed the USBs, Sophos was the owner. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/07/railcorp_sells_usb_keys/

São Paulo police are warning of the perils of flashing your wealth on Facebook after a teenager’s snaps of his electronic equipment and foreign holidays on the social network prompted thieves to rob his family’s apartment.

The unnamed 16-year-old was targeted by a student at his school when he “boasted among friends and put the information on Facebook”, according to cop Fabiana do Sena.

The “envious” youngster, also 16, enlisted the help of two adults for the robbery, and provided them with keys he’d stolen from his intended victim a few days previously.

The two men entered the apartment in a middle class area of São Paulo at around 11pm on 29 November, where they held up four people, apparently at gunpoint.

During the heist, one of the perps got a call on his mobile phone and said: “There’s not as much here as you said.”

The pair eventually made off with jewellery, six watches, electronic equipment and R$370 (£130) in cash.

During their escape, they were intercepted by members of Sao Paulo’s paramilitary police, and shot during a gun battle. They later died in hospital.

The teenager who instigated the robbery claimed he’d been pressured into it, Sena said.

The officer concluded: “Adolescents put personal information on these websites. It’s important that parents advise them not do do this.” ®

Bootnote

Muito obrigado to Eloi Assis for the tip-off.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/07/facebook_booty/

Data privacy watchdogs have fined Powys County Council £130,000, the highest fine the ICO has ever levied, for failing to protect the personal data of vulnerable young people.

The Information Commissioner’s Office got out the big stick to punish the Welsh council after it sent details of a child protection case to the wrong recipient, as a statement by the ICO explains.

Two separate reports about child protection cases were sent to the same shared printer. It is thought that two pages from one report were then mistakenly collected with the papers from another case and were sent out without being checked. The recipient mistakenly received the two pages of the report and knew the identities of the parent and child whose personal details were included in the papers. The recipient made a complaint to the council and a further complaint was also submitted by the recipient’s mother via her MP.

In a horrible twist, the serious privacy breach follows a similar but less serious incident in June last year, when a social worker sent information relating to a vulnerable child to the same recipient. The ICO also made it clear that the recipient knew the parent/s and the child/s named in the reports in both instances.

Powys was advised to introduce mandatory training and to tighten up its security measures following the first incident. Its failure to apply this properly has resulted in the whopper fine, which will ultimately come out of the pockets of local council tax-payers. The council has also been served with an enforcement notice.

The penalty is the highest that the ICO has served since it received the power in April 2010. Most but not all of these fines have been levied against local authorities, who seem particularly lax about data security. The ICO also fined ACS:Law, the one-man law firm which controversially harried alleged file-sharers, over a security breach arising from a hack attack.

Assistant Commissioner for Wales Anne Jones said: “This is the third UK council in as many weeks to receive a monetary penalty for disclosing sensitive information about vulnerable people. It’s the most serious case yet and it has attracted a record fine. The distress that this incident would have caused to the individuals involved is obvious and made worse by the fact that the breach could have been prevented if Powys County Council had acted on our original recommendations.

“The ICO has also issued a legal notice ordering the council to take action to improve its data handling. Failure to do so will result in legal action being taken through the courts.

“There is clearly an underlying problem with data protection in social services departments and we will be meeting with stakeholders from across the UK’s local government sector to discuss how we can support them in addressing these problems,” she added.

Christian Toon, European head of information security at information management services Iron Mountain, said the Powys breach high;lighted the need for user education.

“In so many cases these incidents are the result of carelessness and lack of thought rather than any malicious intention,” Toon said. “Having said that, the public has the right to expect that information about them is handled with care at all times. For public sector organisations this should mean committing to regular staff training and the creation of robust guidelines that everyone understands and buys into – employees must be encouraged to think before they act.”

“There is no excuse; basic errors such as printing highly sensitive and private child protection reports to a shared printer should not be happening in a modern and accountable government organisation,” he concluded. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/07/welsh_council_record_ico_fine/

A political scandal is brewing in Korea over alleged denial of service attacks against the National Election Commission (NEC) website.

Police have arrested the 27-year-old personal assistant of ruling Grand National Party politician Choi Gu-sik over the alleged cyber-assault, which disrupted a Seoul mayoral by-election back in October.

However, security experts said that they doubt the suspect, identified only by his surname “Gong”, had the technical expertise or resources needed to pull off the sophisticated attack. Rather than knocking the NEC website offline, the attack made a portion of the website – offering information on voting booth locations – inaccessible.

Despite this issue resembling a technical fault rather than a DDoS attack, the incident is being treated as a criminal attack by the police, who have arrested Gong and charged him along with three others.

Police said that the “attack”, which lasted for more than two hours, was launched using a total of 10 wireless internet connections, including five T-Login and five WiBro connections. Police speculated that this was either a way of making it harder to thwart the attack or an attempt to complicate police efforts to investigate the assault. A police official told Korean daily newspaper The HankYoreh: “This went beyond simply using zombie PCs and wireless internet to launder IP addresses. It was a sophisticated attack.”

Opposition groups argue that the early morning timing of the attack was carefully designed to disrupt the voting of young commuters, who are more likely to vote for opposition (liberal) candidates. They want to force a parliamentary audit or special prosecutor’s investigation if the police investigation fails to get to the bottom of the attack.

Gong continues to protest his innocence, a factor that has led opposition politicians to speculate that he is covering up for higher-ranking officials who ordered the attack.

Democratic Party politician Baek Won-woo told The HankYoreh: “We need to determine quickly and precisely whether there was someone up the line who ordered the attack, and whether there was compensation.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/07/korean_election_ddos_row/

David Noel Cecil, who earlier this year was arrested on accusations that he had hacked into computers operated by Platform Networks, has pleaded guilty to two counts of causing unauthorized modification of data.

Cecil, who launched the attack under the moniker “Evil”, entered the plea via his solicitor Peter Ringbauer, according to the Central Western Daily.

The attack on Platform Networks earlier this year led to a flurry of entirely inaccurate but distressingly persistent stories that Australia’s National Broadband Network had been hacked. Nothing of the sort happened: Platform was signed on as an NBN retail service provider, but had not yet gone live on the service.

That widespread cluelessness, partly fuelled by early police statements that the attack “threatened Australia’s cyber-infrastructure”, eventually drew an angry response from NBN Co CEO Mike Quigley that there was no threat to the NBN infrastructure.

Cecil still faces a further 48 charges, the Central Western Daily quotes Ringbauer as stating that many individual incidents occurred within seconds of each other. It is therefore feasible that prosecutors may consolidate these into a smaller number of charges when the matter returns to Orange Local Court on December 16. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/06/evil_pleads_guilty/

Attackers are exploiting a vulnerability in the latest versions of Adobe Reader and Acrobat applications to hijack computers running Microsoft Windows, Adobe warned on Tuesday.

The vulnerability, which corrupts memory involved with the U3D, or Universal 3D, file format, was reported by members of Lockheed Martin’s computer incident response team and the Defense Security Information Exchange. Both groups monitor security threats affecting military contractors and organizations. Adobe’s advisory said the bug is reportedly “being actively exploited in limited, targeted attacks in the wild,” but didn’t elaborate.

While attackers are exploiting only Reader 9.x on Windows, all supported versions of Adobe Reader and Acrobat are vulnerable.

Adobe will ship an emergency update no later than the end of next week for Reader 9.x and Acrobat 9.x. Remaining updates for Reader X and Acrobat X, and versions that run on the OS X and UNIX operating systems will be delivered on January 10, the date of Adobe’s next scheduled patch release. Brad Arkin, Adobe’s senior director of product security and privacy, said a security sandbox built into Reader X prevented attacks from executing malicious code, and that versions written for non-Windows systems aren’t being targeted.

“Focusing this release on just Adobe Reader and Acrobat 9.x for Windows also allows us to ship the update much earlier,” he wrote in a blog post. “We are conscious of the upcoming holidays and are working to get this patch out as soon as possible to allow time to deploy the update before users and staff begin time off. Ultimately the decision comes down to what we can do to best mitigate threats to our customers.”

The phrase “limited, targeted attacks in the wild” has often been used to describe exploits directed at military contractors and other companies known to possess information that’s critical to national security. An attack that extracted sensitive information about RSA SecurID authentication tokens used by 40 million employees to access sensitive corporate and government networks relied on Adobe Flash code embedded in a Microsoft Excel document. Security reporter Brian Krebs recently reported that as many as 100 Fortune 500 companies may have been hit in the same attack.

Over the past year, Adobe has made significant improvements to the security of its software. Key among them is the sandbox it added to the latest version of Reader for Windows. It separates application functions from sensitive parts of the operating system, such as reading and writing to the hard drive. Adobe’s ability to more quickly patch vulnerabilities under attack also appears to have improved.

But the current rash of exploits, however small and targeted, shows the continuing risks that come from running the software. With a plethora of document readers available, it’s a good idea to switch to one that’s less targeted. Windows users who must use the application should immediately switch to Reader X to avail themselves of the huge investment Adobe developers put into it. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/06/adobe_reader_attacks/