STE WILLIAMS

Scotland Yard arrested a 31-year-old woman just before dawn today on suspicion of conspiring to intercept voicemail messages.

The Met said the unnamed woman was currently being held in custody at a police station in Northumbria.

“Officers from Operation Weeting have this morning, Wednesday, 30 November, arrested a woman in connection with conspiring to intercept communications,” it said.

“At 0635 officers arrested the woman on suspicion of conspiracy to intercept voicemail messages, contrary to Section1 (1) Criminal Law Act 1977.”

This is the 17th such arrest under the Weeting investigation. Charges are yet to be brought against anyone being probed by the Met on suspicion of phone-hacking. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/30/operation_weeting_31_year_old/

Anonymous and other hacktivists have joined together to launch an attack on banks in response to recent crackdowns against the Occupy protest movement.

TeaMp0isoN and Anonymous are joining forces to run OpRobinHood, which will involve using stolen credit details to donate to charities and others, supposedly at the expense of banks.

In regards to the recent demonstrations and protests across the globe, we are going to turn the tables on the banks. Operation Robin Hood is going to return the money to those who have been cheated by our system and most importantly to those hurt by our banks. Operation Robin Hood will take credit cards and donate to the 99% as well as various charities around the globe. The banks will be forced to reimburse the people there [sic] money back.

Standard practice in cases where banks identify a fraudulent transaction is to reverse transactions and levy a chargeback – a reversal of a prior outbound transfer of funds. So while customers with compromised credit cards might not lose out, charities who receive fraudulent donations might actually end up out of pocket. 

TeaMp0isoN and Anonymous claim to have already taken Chase, Bank of America, and CitiBank credit cards with “big breaches across the map” and to have begun donating thousands to many protests around the world, as well as to homeless charities and other philanthropic organisations.

The hacktivists want bank account holders to withdraw their funds and deposit them in credit unions instead, something started with the legitimate Operation Cash Back scheme a few weeks ago. The hacktivists are not afraid to take on the banks, as their statement goes on to explain.

We are not afraid of the Police, Secret Service, or the FBI. We are going to show you banks are not safe and take our money back. We are going to hit the true evil while not harming their customers and helping others. We are not only starving the banks but are ready to start the attack. We have come to take the 99%’s money back. We are not asking permission.

TeaMp0isoN and Anonymous previously collaborated on the OpCensorThis rap song exercise, which the former was far more active in promoting than the latter. Anonymous needs little introduction. TeaMp0isoN is another (arguably more politically militant) hactivist group that’s arguably most famous for defacing the BlackBerry blog around the time of the London riots.

. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/30/anon_oprobinhood/

Researchers claim to have discovered a security flaw in HP LaserJet printers that permits the installation of malicious firmware that might be capable of disabling safety controls.

In a demo, Columbia University’s Professor Salvatore Stolfo and Ang Cui show how it might be possible to instruct a hacked printer to overheat a component used to dry ink, causing paper to heat up and eventually smoke. In the demo a thermal switch caused the printer to shut down before a fire started, but the researchers reckon this too could be disabled, creating a possible mechanism for hackers to use vulnerable printers to start fires.

HP disputes this, stating that thermal switches in its printers are outside the control of firmware updates. “[The thermal breaker] cannot be overcome by a firmware change or this proposed vulnerability,” it said.

More unimaginative miscreants could use compromised printers as spying devices, extracting information from print and scanning jobs from attacked devices.

The security shortcoming stems from a failure to mandate digitally signed firmware updates sent to (at least older) printers. So a booby-trapped update could be applied without checks, providing a hacker manages to send it to the device. Exploit scenarios would range from tricking marks into printing maliciously constructed documents to remotely applying updates to internet-accessible printers, the sort of thing even the most basic firewall setups ought to block.

HP told MSNBC, which was the first to report the vulnerability, that its LaserJet printers have required digitally signed firmware updates since 2009. The printer giant said the researchers must have used older models, a point disputed by the Columbia team who say they brought the printer they used in the demo for an office supplies outlet in New York only two months ago. HP is reportedly investigating the issue to determine a list of devices that might be at risk of attack.

Modern printers and scanners are, essentially, computers themselves, so compromising a device within a corporate network might allow hackers to use the equipment as a beach head within a business’s defences for attacks on more sensitive systems, such as databases.

It’s unclear whether manufacturers other than HP, the market leader, build devices that might also be vulnerable to the same sort of firmware manipulation attack demonstrated by the Columbia team. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/30/hp_probes_fire_started_printer_vuln/

An Android app developer has published what he says is conclusive proof that millions of smartphones are secretly monitoring the key presses, geographic locations, and received messages of its users.

In a YouTube video posted on Monday, Trevor Eckhart showed how software from a Silicon Valley company known as Carrier IQ recorded in real time the keys he pressed into a stock EVO handset, which he had reset to factory settings just prior to the demonstration. Using a packet sniffer while his device was in airplane mode, he demonstrated how each numeric tap and every received text message is logged by the software.

Ironically, he says, the Carrier IQ software recorded the “hello world” dispatch even before it was displayed on his handset.

Eckhart then connected the device to a Wi-Fi network and pointed his browser at Google. Even though he denied the search giant’s request that he share his physical location, the Carrier IQ software recorded it. The secret app then recorded the precise input of his search query – again, “hello world” – even though he typed it into a page that uses the SSL, or secure sockets layer, protocol to encrypt data sent between the device and the servers.

“We can see that Carrier IQ is querying these strings over my wireless network [with] no 3G connectivity and it is reading HTTPS,” the 25-year-old Eckhart says.

The video was posted four days after Carrier IQ withdrew legal threats against Eckhart for calling its software a “rootkit.” The Connecticut-based programmer said the characterization is accurate because the software is designed to obscure its presence by bypassing typical operating-system functions.

In an interview last week, Carrier IQ VP of Marketing Andrew Coward rejected claims the software posed a privacy threat because it never captured key presses.

“Our technology is not real time,” he said at the time. “It’s not constantly reporting back. It’s gathering information up and is usually transmitted in small doses.”

Coward went on to say that Carrier IQ was a diagnostic tool designed to give network carriers and device manufacturers detailed information about the causes of dropped calls and other performance issues.

Eckhart said he chose the HTC phone purely for demonstration purposes. Blackberrys, other Android-powered handsets, and smartphones from Nokia contain the same snooping software, he claims.

The 17-minute video concluded with questions, including: “Why does SMSNotify get called and show to be dispatching text messages to [Carrier IQ]?” and “Why is my browser data being read, especially HTTPS on my Wi-Fi?”

The Register has put the same questions to Carrier IQ, and will update this post if the company responds. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/30/smartphone_spying_app/

Security researchers from Google have proposed an overhaul to improve the security of the Secure Sockets Layer encryption protocol that millions of websites use to protect communications against eavesdropping and counterfeiting.

The changes are designed to fix a structural flaw that allows any one of the more than 600 bodies authorized to issue valid digital certificates to generate a website credential without the permission of the underlying domain name holder. The dire consequences of fraudulently issued certificates was underscored in late August when hackers pierced the defenses of Netherlands-based DigiNotar and minted bogus certificates for Google and other high-profile websites. One of the fraudulent credentials, for Google mail, was used to snoop on as many as 300,000 users, most of them from Iran.

Under changes proposed on Tuesday by Google security researchers Ben Laurie and Adam Langley (PDF here), all certificate authorities would be required to publish the cryptographic details of every website certificate to a publicly accessible log that’s been cryptographically signed to guarantee its accuracy. The overhaul, they said, is designed to make it impossible – or at least much more difficult – for certificates to be issued without the knowledge of the domain name holder.

“We believe that this design will have a significant, positive impact on an important part of the internet security and that it’s deployable,” Langley wrote in a blog post. “We also believe that any design that shares those two properties ends up looking a lot like it.” Some of the ideas overlap with recommendations recently published by the Electronic Frontier Foundation for improving the security of SSL.

While few disagree that SSL in its current form is hopelessly broken, finding agreement on a way to fix the fragile certificate authority infrastructure has proven to be elusive. Indeed, within hours of Laurie and Langley’s plan going public, critics were already saying it was unworkable. Among the complaints was the critique that it would require the divulging of information considered to be proprietary in the fiercely competitive market for SSL certificates.

“I assume that CAs wouldn’t agree to provide their entire customer data to the public (and competition),” Eddy Nigg, COO and CTO of StartCom, the Israeli-based operator of StartSSL, told The Register. He held out a voluntary set of baseline requirements recently adopted by the CA/Browser Forum as a more effective fix. Members of the forum hope to make the requirements mandatory for all CAs.

Nigg also said that Laurie and Langley’s proposal could place significant technical burdens on website operators and browser makers. One or more authorities would have to be established to compile the lists around the clock and make them available to millions of users each time they access an SSL-protected page, and both activities would require considerable bandwidth and processing resources to be done properly.

“If browsers would have to ping this data upon every first connection per day per site, this would require lots of resources,” Nigg said. “This is something Google might be able to do, but not that many other entities will have those capabilities and interest.”

Next page: No more secret certs

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/29/google_proposes_ssl_fix/

“It is ordered”, says the FTC’s proposed settlement with Facebook, that the social network “shall not misrepresent in any manner … the extent to which it maintains the privacy or security” of its users.

And with that order, the battle between the FTC and Facebook has reached a settlement, as was foreshadowed earlier this month.

The FTC has announced the proposed settlement, under which it had alleged that Facebook “deceived consumers by telling the they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public”.

The commission’s original complaint was led by the way that information that users marked to be shared only with friends or friends-of-friends in their profiles remained available to so-called “Platform Applications” (such as games). In other words, if a user shared a game with a friend, even “friends only” information became available to the game.

Facebooks’ various arbitrary changes to its privacy policies and settings had also come under attack, along with the scope of access platform apps were given to users’ data, its disclosure of information to advertisers, the “deceptive” verified apps program, disclosure of photos and videos, and breaches of the US safe harbour framework that allows data to be sent offshore.

Under the proposed settlement, Facebook is prevented from misrepresenting users’ privacy or security; is required to get “express consent” before altering users’ privacy preferences; must prevent access to deleted account material after 30 days; will agree to establish and maintain a privacy program; and will submit to a bi-annual privacy review for the next 20 years. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/29/facebook_ftc_settlement/

Danger worm hijacks Facebook accounts to inject banking Trojan

Beware of poisoned photo links

By John Leyden • Get more from this author

Posted in Malware, 29th November 2011 15:02 GMT

Free whitepaper – ASCI uses 10 GbE grid computing and hi-def media streaming

A dangerous worm is using Facebook to spread itself by posting malicious links on the social networking website that point to malware-tainted sites loaded with a variant of the Zeus banking Trojan as well as other nasties.

The malware uses stolen Facebook account credentials to log into compromised accounts and post links, according to security researchers at CSIS in Denmark, who were the first to detect the threat. The malicious links generated by the worm pose as links to a photo file posted by the account-holder’s friend or online acquaintance.

In reality the file is a booby-trapped screensaver file with a .jpg file extension. Users have to download and open the file but if tricked into doing so, the consequences can be quite dire – especially since anti-virus detection rates are quite low.

CSIS added that the worm is also using other domains to spread. A write-up on the worm by GFI Software can be found here. CSIS initial alert (in Danish) is here.

The Danish security consultancy was the first to warn that source code for the formerly pricey ZeuS banking Trojan creation toolkit had leaked back in May. ®

Free whitepaper – IBM System Networking RackSwitch G8264

• Be the first to post a comment!

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/29/facebook_worm_spreads/

Two local authorities have been hit by financial penalties from the Information Commissioner’s Office (ICO) after sending highly sensitive personal information to the wrong recipients.

The penalties have been imposed on North Somerset council and Worcestershire county council as the ICO is pressing for stronger powers to audit data protection compliance across local government and the NHS.

Worcestershire has received an £80,000 fine for an incident in March 2011 in which a member of staff emailed highly sensitive personal information about a large number of vulnerable people to 23 unintended recipients. The error occurred when the employee clicked on an additional contact list before sending the email, which had only been intended for internal use.

Enquiries by the ICO found that the council had failed to take appropriate measures to guard against the unauthorised processing of personal data, such as providing employees with appropriate training and clearly distinguishing between internal and external email distribution lists. It also failed to properly consider an alternative means of handling the information, such as holding it in a secure system that could only be accessed by members of staff who needed to see it.

On this occasion all of the unintended recipients worked for registered organisations used to operating within the council’s protocols about handling sensitive data, and the council employee immediately realised their error and attempted to contact all of the unintended recipients to ensure that the information was deleted.

A fine of £60,000 was imposed on North Somerset for a series of incidents in November and December 2010 in which a council employee sent five emails, two of which contained highly sensitive and confidential information about a child’s serious case review, to the wrong NHS employee.

Although the council had policies and procedures in place, it had failed to ensure that relevant staff received appropriate data protection training. The ICO has recommended that the council adopts a more secure means to send information electronically, including encryption and ensuring that managers sign off email distribution lists.

Christopher Graham, the information commissioner, said: “It is of great concern that this sort of information was simply sent to the wrong recipients by staff at two separate councils. It was fortunate that in both cases at least the email recipients worked in a similar sector and so were used to handling sensitive information. This mitigating factor has been taken into account in assessing the amount of the penalties.

“There is too much of this sort of thing going on across local government. People who handle highly sensitive personal information need to understand the real weight of responsibility that comes with keeping it secure.”

This article was originally published at Guardian Government Computing.

Guardian Government Computing is a business division of Guardian Professional, and covers the latest news and analysis of public sector technology. For updates on public sector IT, join the Government Computing Network here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/29/information_commissioner_fines_worcestershire_and_north_somerset/

EU member states cannot generally prohibit organisations’ legitimate and necessary but unauthorised processing of personal data where the information is not stored in specified public sources, the European Court of Justice (ECJ) has said.

The ECJ said that national rules that broadly exclude data processing in non-specified public sources in those circumstances are precluded under EU data protection laws.

“[The EU’s Data Protection Directive] must be interpreted as precluding national rules which, in the absence of the data subject’s consent, and in order to allow such processing of that data subject’s personal data as is necessary to pursue a legitimate interest of the data controller or of the third party or parties to whom those data are disclosed, require not only that the fundamental rights and freedoms of the data subject be respected, but also that those data should appear in public sources, thereby excluding, in a categorical and generalised way, any processing of data not appearing in such sources,” the ECJ said in its ruling.

The Court was ruling in a case involving a dispute about Spanish data protection laws and their compatibility with EU law. It was assessing whether Spain could give extra protection to personal data stored in non-public sources. Spanish law classes personal data found in public sources as information stored on the electoral roll, in telephone directories and media publications as well as some details about professional association membership, according to the ruling.

Under the Data Protection Directive, personal data can only be processed under strict conditions. Personal data must be “processed fairly and lawfully” and be collected for “specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes”. Organisations must then either obtain “unambiguous consent” from individuals before processing is lawful or satisfy one of a number of other conditions instead. If consent is not given, personal data processing can still be lawful providing it is “necessary for the purposes of the legitimate interests” it, or third-parties to whom the information is disclosed, is pursuing, provided those interests are not “overridden by the interests for fundamental rights and freedoms of the data subject”.

Under the EU Charter of Fundamental Rights individuals generally have a right to privacy and protection of personal data.

Whilst Article 5 of the Directive allows EU member states to “determine more precisely the conditions under which the processing of personal data is lawful” that does not give member states the right to “impose additional requirements that have the effect of amending the scope” of lawful processing of personal data under the Directive, the ECJ said. There are separate rules around the processing of sensitive data, such as medical records, racial origin and religious beliefs.

“The margin of discretion which Member States have pursuant to Article 5 can therefore be used only in accordance with … maintaining a balance between the free movement of personal data and the protection of private life,” the ECJ said.

The Court said that unauthorised processing of non-publicly sourced personal data by organisations could result in a “more serious infringement” of individuals’ privacy rights than unauthorised processing of data from public sources. However, it said that it was not legitimate to broadly introduce greater protection over non-publicly sourced data in national law as to do so would result in an imbalance between the privacy rights of individuals and the right of free movement of data, the ECJ said.

“[Article 7(f) of the Data Protection Directive] precludes a Member State from excluding, in a categorical and generalised manner, the possibility of processing certain categories of personal data, without allowing the opposing rights and interests at issue to be balanced against each other in a particular case,” the ECJ said.

“In light of those considerations … Article 7(f) of [the] Directive must be interpreted as precluding national rules which, in the absence of the data subject’s consent, and in order to allow such processing of that data subject’s personal data as is necessary to pursue a legitimate interest of the data controller or of the third party or parties to whom those data are disclosed, require not only that the fundamental rights and freedoms of the data subject be respected, but also that those data should appear in public sources, thereby excluding, in a categorical and generalised way, any processing of data not appearing in such sources,” it said.

Copyright © 2011, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/29/ecj_rules_that_eu_states_cannot_discriminate_between_private_and_public_personal_data/

An estimated 13 million gamers have been left at greater risk of ID theft following a breach at gaming firm Nexon.

Data including names, usernames, encrypted resident registration numbers and password hashes was exposed as a result of the breach at Nexon, which maintains the popular online role-playing game, Maple Story. The data breach followed a hack on a backup server for Maple Story late last week. Details of the 5 million customers of other games maintained by Nexon were not exposed.

Nexon has promised to bolster its security in the wake of the attack, the Korean Herald reports. In addition, it is offering game items to gamers who change their passwords.

The security flap could hardly have come at a worse time for Nexon, which plans to float its business in little over a week on 6 December.

The breach at Nexon is only the latest in a growing list of security flaps involving video game developers this year, the most notorious of which led to the weeks-long suspension of Sony’s PlayStation Network back in April.

Matt Pauker, co-founder of data encryption firm Voltage Security, said the latest breach underlines the fact that gaming security firms need to take security more seriously if they want to retain the trust of their fans.

“This is unfortunately the latest in a string of attacks against gaming sites; hackers have realised that they represent a virtual treasure trove of personal consumer data,” Pauker said. “It’s time for the gaming companies to realise that security can’t be an afterthought. Good security is just as important as good graphics.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/29/nexon_data_breach/