STE WILLIAMS

An online game that invites surfers to disclose potentially sensitive information has returned in a slightly different guise, two years after its first appearance.

A viral game that surfaced on Twitter back in May 2009 encouraged users of the service to come up with their “porn star name” – which was made up of the name of their first pet and the name of the street they lived in as a kid.

A marginally altered form of the same ruse surfaced on micro-blogging site Tumblr this week, encouraging trendy netizens to disclose the name of their “first pet” and street where they live on, this time to find out their supposed “stripper name”.

There’s no evidence to say that either application is malign but taking part just for a quick giggle is still a bad idea. That’s because, as Chris Boyd of GFI Software points out, handing over information of this nature is a bad idea because it’s often used to reset the passwords of webmail accounts and other similar services.

“Stop and think how many services still ask for your pet name and street name on things such as password reset questions,” Boyd writes. “Then pause to consider an email address you use may be public-facing, and have just such a question bolted onto it.”

“You may want to keep your clothes on and stick to the day job at that point,” he adds. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/23/stripper_name_game_silliness/

Identity-hoarder Google has killed various social products that failed to capture the interweb’s hive brain in the way it clearly thinks Google+ has done.

As part of Larry Page’s drive to make the Chocolate Factory’s products appear more uniform across the vast Google estate, the company confirmed it was culling a host of webby experiments that didn’t take off.

“Overall, our aim is to build a simpler, more intuitive, truly beautiful Google user experience,” said Google.

It is taking out and shooting Wave, Friend Connect, Bookmarks Lists, Gears, Search Timeline and Knol.

A common theme runs through all of these products: each one having been dipped in Web2.0rhea.

Sadly none of them came up smelling of roses.

Wave was in fact binned by Google in August last year, after it confirmed that the unpopular product would live on until at least the end of 2010.

Come the end of January next year Google said it would make Wave a read-only online ghost town. The ad broker will kill that product come 30 April 2012.

“You’ll be able to continue exporting individual waves using the existing PDF export feature until the Google Wave service is turned off. If you’d like to continue using this technology, there are a number of open-source projects, including Apache Wave and Walkaround,” Google said.

The Friend Connect product will be culled in March. In the meantime, Mountain View is urging users of that service to create a *drum roll* Google+ page.

And Gears will very shortly be switched off. The kill date is set for next month.

“Gears-based Gmail and Calendar offline will stop working across all browsers, and later in December Gears will no longer be available for download,” the company explained.

“This is part of our effort to help incorporate offline capabilities into HTML5, and we’ve made a lot of progress. For example, you can access Gmail, Calendar and Docs offline in Chrome.”

You can pay your respects by viewing the full death warrant list here.

The company also gave up on TRYING TO SAVE THE WORLD today. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/23/google_ditches_failed_social_products/

The UK government says it isn’t exercising any control over the sale of surveillance software nor stopping it from finding its way into the hands of repressive regimes.

At the start of the month, Lord David Alton of Liverpool called on the Coalition to ban the export of espionage software and equipment, and questioned previous sales of UK software to Iran and Yemen.

However, Foreign Office minister Lord David Howell of Guildford has said that there is “no evidence of controlled military goods exported from the United Kingdom being used for internal repression in the Middle East and North Africa”.

In terms of spying software, Lord Howell said, in a written reply, that the government doesn’t usually keep an eye on where it was going because it could be used for legitimate purposes.

“Surveillance equipment, including telephone intercept equipment, covers a wide variety of equipment and software, and generally is not controlled because of its use for a wide variety of legitimate uses and its easy and widespread availability,” he said.

If the gear’s export is subject to licence, the application would be considered on a case-by-case basis, the minister explained.

“The UK will not issue licences where we judge there is a clear risk that the proposed export might be used to facilitate internal repression,” he added.

But since, as he mentions, the government is actually not really controlling the sale of this type of software, that’s probably not all that comforting.

We need to talk about Iran

Lord Alton had also asked the government about a particular company, Creativity Software, claiming that it had sold “lawful intercept” software to Irancell, an Iranian telco.

Despite some very specific requests for information about any discussions the government may have had with the company on their activities in Iran, who was present in these meetings, when they occurred and whether or not the firm had service contracts on the technology it sold to Iran, Lord Alton got rather fobbed off with a literal interpretation of his question.

“The UK Government National Technical Authority for Information Assurance provides technical advice to BIS on whether information security products are subject to export controls. In this capacity, on 31 March 2009 officials from this authority had a meeting with Creativity Software to consider products that the company wished to export,” wrote the department of Business, Innovation and Skills’ Baroness Wilcox in her reply to Lord Alton.

However, she did add that “there has been no export licences issued to Creativity Software to Yemen, Iran or Syria over the past five years”.

Creativity Software itself released a statement a few days after the initial allegations, saying that it had only sold location-based technology to Irancell to enable it to offer commercial services to its customers.

“The first services that have been launched are zone based billing and a mobile social networking service (“Friend Finder” and “Family Finder”) – which have been used by over 3 million people in the country since it was launched in January this year,” the company said.

However, the firm acknowledged that it was bound by contract to respect the confidentiality of its customers where they wanted it. The statement also pointed to the legitimate uses of location-based softwares for “public safety services, national security and law enforcement applications, as well as commercial” purposes.

All of which seems to neatly sum up the crux of the problem with using surveillance software: it all depends on who is setting the national security agenda, who gets to say what is a “legitimate use” and how this may differ in regimes that would prefer to silence dissenting voices. ®

Bootnote

According to Cambridge’s Christ’s College, human rights lobbying Lord Alton was the first parliamentarian to visit North Korea, and as chairman of the British-DPRK All-Party Parliamentary Group, he met the chairman of the Supreme People’s Assembly, Choe Thae Bok. Last month he gave a talk at Pyongyang University of Science and Technology on “good science and good ethics”, telling students: “It is better for men to build bridges than to build walls”.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/23/surveillance_software/

Federal officials said there’s no evidence to support a report that hackers destroyed a pump used by an Illinois-based water utility after gaining unauthorized access to the computer system it used to operate its machinery.

In an email sent on Tuesday afternoon to members of the Industrial Control Systems Joint Working Group, officials with the ICS-CERT, an offshoot of the US Computer Emergency Readiness Team, said investigators from the US Department of Homeland Security and the FBI have been unable to confirm the claims, which were made in a November 10 report issued by the Illinois Statewide Terrorism and Intelligence Center, also known as the Fusion Center.

“After detailed analysis, DHS and the FBI have found no evidence of a cyber intrusion into the SCADA system of the Curran-Gardner Public Water District in Springfield, Illinois,” the email, which carries a subject of “UPDATE – Recent Incidents Impacting Two Water Utilities,” stated.

“There is no evidence to support claims made in the initial Fusion Center report – which was based on raw, unconfirmed data and subsequently leaked to the media – that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant.”

The email went on to say the investigators “have concluded that there was no malicious or unauthorized traffic from Russia or any foreign entities, as previously reported.”

DHS representatives didn’t respond to an email seeking comment.

The statement comes five days after Joe Weiss, an ICS security expert, disclosed contents of the Illinois report claiming that attackers triggered a pump failure after accessing the supervisory control and data acquisition system used by a US-based water utility. The report, he went on to say, warned that the intruders hacked into the maker of the SCADA system used by the utility and stole passwords belonging to the manufacturer’s customers. If true, that would have meant that other industrial systems might have been breached by the same actors.

A day after the report, Curran-Gardner Water District Chairman Don Craver was quoted by a local ABC News affiliate as saying: “There’s some indication there was a breach of some sort into a software program – the SCADA system – that allows remote access to the wells, and the pumps, and those sorts of things.” He has yet to explain his comments in light of Tuesday’s statement.

Weiss said he was surprised by the competing versions of events provided in the latest report.

“If they’re right, that means what in the world is the Illinois Center doing putting out a report like that that has no verification,” he told The Register. The earlier report “was straightforward. There were no caveats in there.”

The update went on to say that officials are still investigating additional claims that a second water plant in Texas was breached by someone who gained unauthorized access to systems controlling its machinery.

The entire text of Tuesday’s update is:

Sent: Tuesday, November 22, 2011 2:38 PM Subject: UPDATE – Recent Incidents Impacting Two Water Utilities

Greetings:

After detailed analysis, DHS and the FBI have found no evidence of a cyber intrusion into the SCADA system of the Curran-Gardner Public Water District in Springfield, Illinois.

There is no evidence to support claims made in the initial Fusion Center report – which was based on raw, unconfirmed data and subsequently leaked to the media – that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant.  In addition, DHS and FBI have concluded that there was no malicious or unauthorized traffic from Russia or any foreign entities, as previously reported.  Analysis of the incident is ongoing and additional relevant information will be released as it becomes available.

In a separate incident, a hacker recently claimed to have accessed an industrial control system responsible for water supply at another U.S. utility. The hacker posted a series of images allegedly obtained from the system. ICS-CERT is assisting the FBI to gather more information about this incident.

ICS-CERT has not received any additional reports of impacted manufacturers of ICS or other ICS related stakeholders related to these events. If DHS ICS-CERT identifies any information about possible impacts to additional entities, it will disseminate timely mitigation information as it becomes available. ICS-CERT encourages those in the industrial control systems community who suspect or detect any malicious activity against/involving control systems to contact ICS-CERT.

Regards,

ICS-CERT

E-mail: [email protected] Toll Free: 1-877-776-7585 For CSSP Information and Incident Reporting: www.ics-cert.org

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/23/water_utility_hack_update/

Google engineers have enhanced the encryption offered in Gmail, Google Docs, and other services to protect users against retroactive attacks that allow hackers to decrypt communications months or years after they were sent.

The feature, a type of key-establishment protocol known as forward secrecy, ensures that each online session is encrypted with a different public key and that corresponding private keys are never kept in long-term storage. That, in essence, means there’s no master key that unlocks multiple sessions that may span months or years. Attackers who recover a key will be able to decrypt communications exchanged only during a single session.

Google security guru Adam Langley said his team built the feature into Google’s default SSL protection using a preferred cipher suite that’s based on elliptic curve cryptography and the Diffie-Hellman key-exchange method. They have released their code as an addition to the OpenSSL library to reduce the work necessary for other websites to implement the protection.

“We would very much like to see forward secrecy become the norm and hope that our deployment serves as a demonstration of the practicality of that vision,” Langley wrote in a blog post published on Tuesday.

The move preserves Google as the uncontested leader in offering its users default protections. Last year, the web giant rolled out end-to-end SSL by default for users of its Gmail service. Last month, it introduced encrypted search. Competitors such as Twitter and Facebook – and to a much lesser extent – Microsoft frequently follow suit in the months that follow such releases.

Forward secrecy, which is also known as perfect forward secrecy, is important for protecting the continued confidentiality of encrypted communications over long periods of time. As computers grow faster and more powerful, it often becomes feasible to use brute-force attacks to crack encryption keys that only a decade earlier were considered unbreakable. Encrypted communications not protected by forward secrecy can be recorded and stored and only decrypted much later, once its single private key can be deduced.

The protection works by default with all versions of the Mozilla Firefox and Google Chrome browsers. Microsoft’s Internet Explorer also supports the feature when the browser is running on Vista, and later versions of Windows, although not by default. That’s because IE isn’t compatible with some of the elements contained in the ECDHE-RSA-RC4-SHA cipher suite chosen by Langley’s team.

As Langley explained in a deeper technical description, the Google implementation uses a single-session public key based on the elliptic curve, ephemeral Diffie-Hellman protocol that is then signed by a separate RSA private key belonging to Google. This makes the task of eavesdropping on someone over an extended period of time much harder, since each new session is protected by a different key.

The scheme also relies on TLS session tickets, which are cookie-like files that are stored on end-user machines and contain keys and other settings required by Google servers to resume a session. The use of session tickets is most likely intended to reduce the load on Google servers, but it also introduces potential security risks, particularly if an attacker could intercept or forge a valid file.

“This is actually a step backwards,” cryptographer Nate Lawson, who is principal of the Root Labs security consultancy, told The Register. “You’re putting all your trust in the clients and hoping you don’t make any mistakes on the server side.”

Of course, if Google does the cryptography right, there’s little risk posed, and if the method significantly reduces the load on servers, it could bring forward secrecy to the computing masses. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/22/google_perfect_secrecy/

A law enforcement Trojan takes advantage of the same recently patched iTunes flaw also used by Ghost Click botnet, according to a demo at a recent German trade show.

Spiegel Online reports that a promo video for a variant of the FinFisher spyware application shows it exploits a vulnerability in iTunes to update the software on targeted systems. Prior to a recent update, iTunes used an unencrypted HTTP request to poll for the latest version of Apple’s media player software. This technique created an opening for man-in-the-middle attacks, providing Apple Software Updater is not in play*.

Instead of receiving the URL for the latest version of the iTunes from Apple, an attacker could send a dummy update request that induces victims to visit a counterfeit webpage under the control of attackers.

For the redirection to work, a machine would already need to be infected with the DNSChanger software (in the case of the alleged Ghost Click botnet operators) or in the case of law enforcement agencies using Gamma’s FinFly ISP technology, you’d need ISPs to be in on the redirection ruse.

FinFisher is marketed by Gamma International to cops and spooks as a means to tap the Skype calls, IM chats and emails of suspected criminals. Documents found during the ransacking of Egypt’s secret police headquarters, at the height of the Arab Spring uprising, suggest that the Mubarak regime purchased FinFisher to spy on dissidents. Gamma International, which denies selling its wares to Egypt, ran a stall at the Cyberwarfare Europe conference in Berlin back in September. Delegates to the conference included government and business representatives from the United Arab Emirates, Indonesia and Malaysia.

Don’t ever bother asking journos to leave, it never works

Gamma made sure journalists had left the room when it gave its product demonstration but Der Spiegel nonetheless discovered that its pitch included video showing how its FinFly ISP technology took advantage of the recently patched iTunes flaw to push updates of its remote monitoring tool. Other versions of its technology used a specially adapted USB flash drive (“USB FinFly”) to drop spyware onto systems but this approach, unlike FinFly ISP, requires physical access to computers.

German software developer DigiTask offers similar law enforcement Trojan technology. German federal law allows the use of malware to eavesdrop on Skype conversations, however samples of the so-called R2D2 (AKA “0zapftis”) Trojan that recently came into the possession of the Chaos Computer Club (CCC) had a far wider range of functionality than this, including keystroke logging and establishing a backdoor on compromised machines.

CCC criticised the R2D2 code as both “amateurishly written” and illegal. Five German states subsequently admitted using the controversial backdoor Trojan to spy on criminal suspects. It’s suspected that the R2D2 Trojan was developed by DigiTask, based on similarities in the sample obtained by CCC and the functionality as described in documents published by WikiLeaks last year, but this remains unconfirmed.

The use of law enforcement Trojans is particularly controversial in Germany, which is more privacy-sensitive than most countries thanks in large part to the memory of the invidious spying tactics by the former East German secret police, the Stasi. As Spiegel Online notes, adopting the same tactics as cyber-criminals makes those marketing law enforcement Trojans look even more sneaky. ®

Patchnote

* Apple addressed the underlying vulnerability with a cross-platform update for iTunes, version 10.5.1, last week. The latest version of iTunes requests update URLs over a secure (https) connection, thereby blocking man-in-the-middle attacks.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/22/trojan_exploits_itunes_flaw/

Southwark council breached the Data Protection Act after it left an unencrypted computer and papers containing sensitive information on 7,200 people in one of its buildings when it was vacated, which were then disposed of by the building’s new tenant, the Information Commissioner’s Office (ICO) has said.

The local authority vacated the building in December 2009, but the breach was reported in June of this year shortly after the information was found in a skip. The information stored on the computer and the papers included details of peoples’ names and addresses, along with other information relating to their ethnic background, medical history and any past criminal convictions.

While the council did have information handling and decommissioning policies in place, the privacy watchdog said that the policies were not followed when the offices were vacated.

Southwark council has now agreed to take action to keep the personal information it handles secure. This includes introducing new processes governing the transfer and disposal of personal information and making sure that all portable devices used to store sensitive information are fully protected. The local authority has also agreed to an ICO audit in the new year to help them improve their compliance with the Data Protection Act.

Sally Anne Poole, acting head of enforcement, said: “The fact that thousands of residents’ personal details went missing for over two years clearly shows that Southwark council’s policies for handling personal information are below standard. As this information was lost before the ICO received the power to issue financial penalties we are unable to consider taking more formal action in this case.

“Southwark council has committed to putting changes in place and we look forward to completing an audit next year to help them to identify further improvements.”

Separately, Central Essex Community Services has signed an undertaking after the loss of a birth book containing information about the general health of 249 mothers and their babies. The book, which should have been stored in a locked filing cabinet, was stored on top of the cabinet in a locked room due to no secure storage space being available. The book has never been recovered.

This article was originally published at Guardian Government Computing.

Guardian Government Computing is a business division of Guardian Professional, and covers the latest news and analysis of public sector technology. For updates on public sector IT, join the Government Computing Network here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/22/southwark_council_breach/

Security biz Websense has drawn up a list of the five most common spam subject lines.

The nuisance list, based on the subject lines of the millions of spam messages blocked by the firm every day, highlights the danger of opening attachments or clicking dodgy links. The most commonly seen subject lines fall into the one of the five categories listed below:

1. Bogus online orders – For example, “Order N21560”, although the numbers vary. These pose as Adobe CS4 licences but actually redirect to sites serving up the Blackhole exploit kit.
   
2. Fake fines – “FW: Re: UNIFORM TRAFFIC TICKET (ID: 239127922)”, numbers vary and subject might appear without FW: or RE:, or “Fwd: Your Flight Order N125-9487755”, again numbers vary. Users are lured to click on a link, which redirects to another malicious site serving the Blackhole exploit kit.
   
3. Package delivery lies– For example, “USPS Invoice copy ID46298”, “FedEx: New Agent File Form, trackid: 1V6ZFZ7FEOHUQ” or “DHL Express Notification for shipment 90176712199”. As before, numbers vary between different spam messages. “Fake emails pretending to be invoices or tracking emails have been around for several years and usually would have an attachment, such as a Trojan like Zeus or SpyEye,” Websense reports. Malicious emails of this type are still been sent out in bulk, using attachments that are repackaged for every campaign, as a tactic designed to get around antivirus defences.
   
4. Tests for working addresses – These often appear under the guise of a patch for World of Warcraft. “Unfortunately, for the criminals, the archive is corrupt and therefore harmless to the recipients,” Websense reports, though other campaigns using the same subject line do appear with working malicious code attached. In other cases the subject line is used by spammers to validate email addresses as active.
   
5. Payment and tax cons – For example “FRAUD ALERT for ACH”, “Your Wire Transfer”, “IRS requires new EIN”, and “IRS Tax report”. Many spam-bots spewing this type of email are misconfigured so that they automatically send out dodgy emails with an August date stamp, even though we are now reaching towards the end of November.
   

Websense adds that spam slurries normally follow the pattern of running for only about an hour or less before disappearing for a while, sometimes only to return with another short-lived tsunami of email crud.

Miscreants often switch between attachments and using links to malicious or compromised websites to distribute malware. Repackaging attachments so they will not be detected automatically by antivirus scanners is also commonplace. Changing the template of spam emails is also extremely commonplace.

A blogpost by Websense on spam subject lines and associated tactics, which features a rogues’ gallery of dodgy emails, can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/22/common_spam_subject_lines_revealed/

London banks are taking part in a simulated cyberattack exercise on Tuesday designed to test the resilience of the UK’s financial service industry to a collapse of telecoms systems and Olympics-related transport disruption.

The exercise is occurring against the real world backdrop of the Occupy the City protestors, camped outside the Square Mile. The joint Financial Services Authority, Bank of England and Treasury initiative involves staff from around 80 banks. An outline of the scenario to be played out on Tuesday by UK Financial Sector Continuity explains that the excise will look at responses to simulated cyber-attack and internet service disruption.

We have designed a scenario that will test the ability of participants to respond to a concerted cyber attack on the financial sector. Thus, there is a strong focus upon dependencies on telecommunications and the internet as well as managing the return to business as usual.

It will also examine the impact of transport disruption against the backdrop of the Olympics.

In response to feedback, we have released the scenario well in advance so facilitators have more time to review injects and their impacts, engage the right people and in-house experts and organise their participation on exercise day. We have reduced the focus on crisis management and included a dedicated strategic element on exercise day.

Sian John, UK security strategist at Symantec, commented: “With more than 80 companies lined up to take part in the exercise today there are likely to be plenty of nervous bankers in the UK waiting to see the results of this test. Often you see security being considered at the last minute rather than being engineered into projects and infrastructures from day one so it’s very encouraging to see an important sector like this taking part in preventative measures.

“Threats are becoming increasingly targeted and focused on accessing information that can be used for malicious gain or sold on via underground markets. An exercise like this will demonstrate exactly how robust their [banking] systems are and where the vulnerabilities lie. It may mean they need to reconsider back up sites for example or rethink security altogether – whatever the results it’s a nice illustration that financial institutions are proactively looking to manage risk.”

Henry Harrison, Technical Director at BAE Systems Detica, said that the scenario played out through the exercise needs to be as thorough and realistic as possible in order to yield the best possible results.

“It is very pleasing to see the financial sector taking the threat of cyber attack so seriously and we hope that other sectors will follow suit,” Harrison said. “The key to this sort of exercise is using sufficiently representative scenarios. This is as true for cyberattack scenarios as for financial disaster scenarios – while it is simple to imagine situations such as a total loss of communications, realistic scenarios should also include the loss of confidence in the integrity of data or key systems, or indeed the loss of confidence in the confidentiality of communications between different players in the system.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/22/london_banks_resilience_exercise/

The BBC was justified in broadcasting the unblurred face of a trucker who was pulled for being on the phone, and subsequently arrested for being drunk at the wheel, despite his right to privacy, Ofcom has ruled.

The trucker alleges that an episode of Motorway Cops violated his privacy in showing him being pulled, arrested, and led to a cell, despite his request that the footage not be used. Ofcom agrees that broadcast of the footage inside the police station was an invasion of privacy, but that it was justified by the public interest.

The show didn’t name the trucker, but it did broadcast footage of him talking on a mobile phone while driving a 44-ton truck. When an unmarked police vehicle tried to get him to pull over he lifted his other hand off the wheel to give a cheery thumbs up. Having got him to stop, police subsequently found an open can of lager in the truck’s cab.

Ofcom ruled that the footage taken while driving, and then failing the breathalyzer test (the trucker was found to be almost double the legal limit), were not an invasion of privacy as they happened in a public place. But once the action moves to the cop shop arrestees are entitled to expect some privacy, and while the truck driver didn’t explicitly ask for the filming to be stopped he was clearly unhappy with it.

Ofcom interpreted that to mean he would have liked it to stop, and thus in normal circumstances the filming would have to have stopped or at least the footage not be broadcast. But Ofcom also ruled that given the offence, and the fact that earlier footage showed it being committed, the public-interest argument outweighed any expectation of privacy.

The driver was fined £115 and banned from driving for a year, Ofcom says. He has argued that repeats of the programme would put his return to work at risk. Given he’s not named in the show we can’t help feeling he’s not done himself any favours in making the complaint, should prospective employers be doing a Google search or similar, as it has resulted in him being named in Ofcom’s latest enforcement bulletin (PDF, lots of details but quite dull to read).

Ofcom has also been investigating a claim by one “Mrs E” who was shocked to see her younger self on screen. She appeared in the audience of a TV show about parents accused of child abuse 20 years ago, and has suddenly seen the footage reused, much to the surprise of friends and colleagues who recognised her and started questions about what prompted her to attend.

Ofcom ruled that having agreed to be in the show in 1989 she gave up all rights to use of the footage thereafter, including subsequent repeats.

It would seem that in fact the “right to be forgotten” may have disappeared longer ago in some cases than people think. Unless we all change identities every now and then we may just have to get used to it. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/22/ofcom_privacy/