STE WILLIAMS

A man, arrested in August on suspicion of menacing Tory MP Louise Mensch via Twitter and threatening emails, has been charged under section 127 of the 2003 Communications Act.

“A man arrested over allegations of malicious communications and threats made via email and a social networking site against Louise Mensch MP has been charged,” the Met said.

Frank Zimmerman, 60 (01/10/1951) of Spinney Road, Barnwood, Gloucester will appear on bail at Gloucester Magistrates’ Court on 12 December, said Scotland Yard.

He has been charged with improper use of a public communications network, it added.

Cyber cops cuffed Zimmerman on 25 August, following allegations lodged by Mensch a few days earlier.

Mensch took to Twitter to complain publicly about the alleged harassment before taking her complaint to police as she was in the US at the time of the incident.

The Tory politico, Rupert Murdoch botherer and erstwhile romantic novelist, who writes under the pen-name Louise Bagshawe, claimed that “some morons from Anonymous/LulzSec” had threatened her children via email.

“As I’m in the States, be good to have somebody from the UK police advise me where I should forward the email. To those who sent it; get stuffed, losers,” she said in August.

“Oh and I’m posting it on Twitter because they threatened me telling me to get off Twitter. Hi kids! ::waves:: I’ve contacted the police via the House of Commons and the email is with them now. I don’t bully easily, kids. Or in fact at all.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/22/louise_mensch_twitter_email_man_charged/

The majority of Android smartphone users are walking around with insecure devices running out-of-date OS builds, leaving personal and business data at greater risk of attack.

The latest figures from Google’s Android developer web site show that 44.4 per cent of users have the latest version of Android (Android 2.3 or later installed) on their devices. A further 1.9 per cent are running developer builds.

That leaves 53.7 per cent running older versions, the majority of which (40.7 per cent of the total userbase) are running Android 2.2 (Froyo). The stats come from users visiting Google’s App Store over a fortnight.

A study by application security firm Bit9 found that the sheer complexity of the Android ecosystem – in which updates are distributed in different ways and at different times (if at all) based on manufacturer, phone family, phone model, carrier, and geographic location – has meant security has taken a back seat, leaving smartphone users more vulnerable as a result.

Bit9 looked at the 20 most popular Android handsets from the likes of Samsung, HTC, Motorola, and LG. It found many Android smartphone suppliers launch new phones with outdated software out of the box. To make matters worse, many suffer from tremendous lag times in rolling out updates to later and more secure versions of Android.

Six of the 20 surveyed phones are running Android 2.2, a version that shipped 18 months ago in May 2010. A further seven are running builds of Android that are at least nine months old. Only seven of them were up to date.

The average time between when an update is available from Google and when it is pushed to the phone is 185 days – slightly more than six months. For example, across the Samsung models Bit9 studied, the average lag time is over 240 days (over eight months).

In some cases, the phones are not updated at all as the manufacturers shift their focus to newer models, leaving existing customers stranded with insecure software. In many cases, the only recourse a consumer has, if they want the latest and most secure software, is to purchase a new phone, according to Bit9.

Security nightmare for BOFHs

“Smartphones are the new laptop and represent the fastest emerging threat vector,” said Harry Sverdlove, CTO of Bit9. “In our bring-your-own-device-to-work culture, people are using their personal smartphones for both personal and business use, and attacks on these devices are on the rise.”

Android smartphone manufacturers are prioritising form and functionality over security, leaving consumers and businesses at greater risk as a result of running out-of-date and insecure smartphone software. The consumerisation of IT, where more people are using their personal devices at work, is putting companies at risk for data leakage and intellectual property theft. Running around with outdated smartphone software is not just bad practice, it creates real security risks.

For example the DroidDream malware, which moved Google to pull at least 50 apps from the Android Market in March and invoke a “kill switch” to remove those applications from more than 250,000 Android users’ phones, relied on a specific vulnerability in the operating system that Google fixed in its 2.3 (Gingerbread) release and a point release of 2.2.2 (Froyo).

“The malware itself was delivered as a standard app that users had to choose to install, but its ability to take complete control (root) the phone was dependent on the patch level of the phone,” Sverdlove explained.

In August 2011, a vulnerability was discovered that could allow an attacker to hijack the browser. Google fixed this problem in 2.3.5 and 3.1. While no attacks based on the vulnerability have been carried out to date it would be rash to wait until a major attack is underway before patching.

Most minor and major updates of Android include “security updates”, and most Android phones come with manufacturer enhancements and third-party components (eg, Java and Flash) as well. Each of those components is equally at risk if they are not properly and regularly updated.

Despite this need for security updates the distribution model adopted by phone manufacturers and their carriers has created a chaotic and insecure environment in which it can take several months for important updates to be distributed, if at all.

“Manufacturers and phone carriers have shown that when they are in the business of owning software updates, they perform poorly,” Harry Sverdlove, CTO of Bit9 told El Reg. “Their interest is in selling newer phones and carrier contracts; they are not incentivised to prioritise security for existing phones.”

Sverdlove acknowledged there are no easy answers but suggested a number of steps to improve the situation. Much like the PC industry, smartphone manufacturers could relinquish control of the operating system software updates. This process has already been implemented with the Apple iPhone and Google Nexus phone.

Secondly security professionals and consumers need to put pressure on the manufacturers to be more responsible in prioritising security updates. In the meantime, corporations need to evolve to a “secure app store” model and allow only specific devices and trustworthy applications into their environment.

Bit9 does not as yet market services or technology that secures mobile devices. It carried out the research in the interests of raising awareness about what it sees as a growing problem. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/22/android_patching_mess/

The Tor Project is tapping Amazon’s EC2 cloud service to make it easier for volunteers to donate bandwidth to the anonymity network.

Developers with the project have released preconfigured Tor Cloud images that volunteers can use to quickly deploy bridges that allow users to access the service. The new system is designed to take some of the pain out running such Tor relays by reducing the work and cost of deploying and running the underlying hardware and software.

“Setting up a Tor bridge on Amazon EC2 is simple and will only take you a couple of minutes,” developers a project member wrote in a post published on Monday. “The images have been configured with automatic package updates and port forwarding, so you do not have to worry about Tor not working or the server not getting security updates.”

In many cases, those availing themselves of the images to set up Tor bridges will qualify for Amazon’s free usage tier. That will allow volunteers to run a bridge on EC2 for a full year. Those who don’t qualify will need to pay about $30 a month.

Tor bridges are relays that aren’t listed in the main directory, making them harder to be blocked by repressive governments and service providers. The volunteer-maintained relays act as the first hop in the network. From there, traffic is forwarded to other relays.

The preconfigured server images are available in six of Amazon’s service regions, including Virginia, Northern California, Oregon, Ireland, Tokyo, and Singapore. They come with bandwidth limits to keep the cost of running a bridge below the $30 threshold. Once they are installed, they require little maintenance, the Tor posting said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/22/tor_amazon_bridge/

Smart meters issued by an electric utility in Maine are interfering with a wide range of customers’ electronic devices, including wireless routers, cordless phones, electric garage doors, and answering machines.

The Central Maine Power Company has received complaints from more than 200 customers since the meters were installed a little more than a year ago. The utility has deployed almost 425,000 of the devices, which use low-power radio transmissions to send meter readings. The 200 complaints received to date are probably a small subset of those affected, the state’s public advocate said.

“We have asked CMP to do a better job informing customers about these potential problems, and while CMP’s website does refer to the issue, we don’t think it goes far enough,” Public Advocate Richard Davies said in the statement. “My agency is troubled by the possibility that people may be spending their time and money fixing a problem that may be caused by CMP’s meters, and that can and should be fixed by CMP.”

In a list of frequently asked questions, utility officials said the meters operate on the same 2.4GHz frequency band used by many cordless phones and 802.11 wireless devices.

“Separating interfering devices usually reduces interference, so make sure the wireless device is located as far from the smart meter as possible,” the posting advises. “Also, adjust the position of the antenna on the device, if possible, and move the wireless device away from any walls that may absorb the signal.”

The utility also said interference can sometimes be overcome by changing the Wi-Fi channel used by their router. In the US, channels 1 and 11 are favored, the utility said.

In the past, some electric customers have reported that their power bills spiked immediately after their old meters were replaced with smart meters. Some have also complained about the health effects from the radio transmissions of smart meters, although there is little scientific evidence to back up these claims.

Security experts have also warned that smart meters are susceptible to hack attacks that could potentially take down the power grid. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/21/smart_meter_interference/

Hackers used automatic scripts to target ATT wireless subscribers in an unsuccessful attempt to steal information stored in their online accounts, company officials said.

In an email sent to targeted subscribers, ATT warned of an “organized attempt” to break into their accounts. The advisory was sent to less than 1 per cent of the company’s wireless subscribers, spokesman Mark Siegel told The Register. The company informed the users “out of an abundance of caution.”

“The people in question appear to have used ‘auto script’ technology to determine whether ATT telephone numbers were linked to online ATT accounts,” company officials said in an accompanying statement.

If the script was able to isolate phone numbers that were linked to online accounts, ATT’s website may be configured in a way that puts subscriber privacy at risk. Last year, hackers obtained the email addresses of 114,000 early adopters of Apple’s iPad by exploiting weaknesses in an ATT website.

Security advisors say login mechanisms on websites should never return error messages that indicate an email address, phone number, or user name is valid. Siegel declined to elaborate on the attack or how ATT’s website responded to the attack script.

“No accounts were breached and our investigation is ongoing to determine the source or intent of the attempt to gather this information,” the statement said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/21/att_attack/

An “Occupy Flash” website is urging PC users to rip Adobe’s ubiquitous media player off their computers and embrace HTML5.

The Occupy Flash site describes its goal as ridding the world of Adobe’s Flash Player plug-in because, it says, HTML5 has won the future of the web. Adobe earlier this month admitted it is no longer developing the mobile version of Flash.

Flash Player is a security nightmare, doesn’t work on most devices and makes the web less accessible, the group said, adding: “At this point, it’s holding back the web.” The group continues:

It’s a fossil, left over from the era of closed standards and unilateral corporate control of web technology. Websites that rely on Flash present a completely inconsistent (and often unusable) experience for fast-growing percentage of the users who don’t use a desktop browser. It introduces some scary security and privacy issues by way of Flash cookies.

The group wants the world to avoid another situation similar to the lingering existence of Microsoft’s Internet Explorer 6, where the browser lives on because “a contingent of decision makers” mandates its use.

Flash is resident on more than 90 per cent of internet-connected PCs, according to Adobe, and is the default choice for many building online animations, ads, films and other media content.

Inevitably this means there will be “some pain and sacrifice involved” in removing Flash, the site bravely states, “but the more of us who run browsers that don’t support Flash, the quicker that pain will subside”.

There’s no indication of who is behind Occupy Flash or how many people are involved. Instead the group decided to stay anonymous.

Anybody with half a memory will remember it was Apple’s late chief executive Steve Jobs who launched a solo crusade against Flash, saying HTML5 was the saviour of the web. It would therefore be easy to conclude Apple or some juiced-up Apple fanbois are continuing Jobs’ work through Occupy Flash. The site has claimed it has no corporate backer.

One thing Occupy Flash has admitted, though, is that it’s shamelessly co-opted a populist terminology, as it has not – nor can it – occupy anything. “Regardless, we love the idea of normal people taking on big corporations in the interest of the population at large,” the site’s administrators add. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/21/occupy_flash/

US lawmakers have launched an investigation into the threat of cyber espionage from Chinese telecoms firms operating in the US, singling out Huawei and ZTE.

The House of Representatives committee on intelligence said yesterday that it was focused on the threat to America’s security and critical infrastructure coming from “the expansion of Chinese-owned telecommunications companies – including Huawei and ZTE – into our telecommunications infrastructure”.

According to the committee, the probe will be looking at “the extent to which” the companies give the Chinese government the opportunity to spy on the US, whether for political or economic reasons and how much of a threat to critical infrastructure the firms are. Which doesn’t seem to offer much chance of the investigation maybe finding that the companies aren’t at all involved in spying.

“The fact that our critical infrastructure could be used against us is of serious concern,” Republican congressman and committee chairman Mike Rogers said in a canned statement. “We are looking at the overall infrastructure threat and Huawei happens to be the 800 pound gorilla in the room, but there are other companies that will be included in the investigation as well.”

“As the formal investigation begins, I stand by my caution to the American business community about engaging Huawei technology until we can fully determine their motives,” he added.

The investigation comes shortly after an intelligence report presented to Congress alleged that Russia and China are using cyber espionage to steal US economic secrets, a charge China subsequently denied.

“Chinese actors are the world’s most active and persistent perpetrators of economic espionage. US private sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China, but the intelligence community cannot confirm who was responsible,” the Office of the National Counterintelligence Executive said in the report.

Following media coverage of the report, Chinese Foreign Ministry spokesman Hong Lei told a daily news briefing that accusing the country of cyber attacks without an investigation was “both unprofessional and irresponsible”.

“I hope the international community can abandon prejudice and work hard with China to maintain online security,” he added.

Rogers, who is a former FBI agent, said yesterday that the committee “already knows the Chinese are aggressively hacking into our nation’s networks … and stealing secrets worth millions of dollars in intellectual property”.

A Huawei spokesperson told The Register in an email that the integrity of its gear had been proven by deployment by 45 of the top 50 telecoms service providers around the world “without security incident”.

“We acknowledge that network security concerns are very real and we welcome an open and fair investigation, whether by Congressional Committee or otherwise, focused on concerns raised by the interdependent global supply chain used by virtually every telecommunications equipment manufacturer providing solutions in the US and elsewhere,” the firm said.

A ZTE statement said: “ZTE is wholly committed to transparency and will cooperate in addressing any inquiries regarding our business. Our company is publicly traded with operations in more than 140 countries and we are confident a fair review will further demonstrate that ZTE is a trustworthy and law-abiding partner for all US carriers and their customers.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/21/us_probe_chinese_telco_firms/

Analysis The cause and perpetrators behind interference against two US scientific satellites remains unknown to American military commanders more than three years after the mysterious event.

The Congressional US-China Economic Security and Review Commission said in its latest annual report that two US-maintained environment-monitoring satellites experienced interference at least four times in 2007 and 2008. Draft versions of the dossier, seen prior to the publication of the completed report last Wednesday, suggested the interference came from a ground station in Spitsbergen, Norway, and paints China as the chief suspects behind the presumed attacks.

However the satellite services firm running the ground station told El Reg that there’s no evidence of any attack against its systems. Separately the commander of US military space operations said that insufficient evidence made it impossible to confidently attribute blame over the possible attempts to take control of the Landsat-7 and Terra AM-1* satellites, which are both managed by NASA.

“The best information that I have is that we cannot attribute those two occurrences,” said General Robert Kehler, commander of the U.S. Strategic Command, Reuters reports. “I guess I would agree that we don’t have sufficient detail.”

Kehler made his comments during a conference call on cyber and space issues.

Earlier drafts of the commission’s report traced the cause of the probe interference to the Norwegian ground station owned and run by Kongsberg Satellite Services (KSAT), which denied any occurrence of interference via its facilities. In response to queries by El Reg, the satellite services issued a statement saying a thorough investigation has turned up nothing amiss. Neither NASA, which maintains the satellites, nor regulators at the National Oceanic and Atmospheric Administration had complained, it added

The statement read:

KSAT has not experienced any attempt to enter into the company’s systems from outside sources. Furthermore, KSAT does not have any indication that hacking of satellites using the KSAT Svalbard station has taken place. A careful screening of our security systems has not indicated any attempts to access SvalSat from unauthorized sources.

We have not received any message from NASA that their satellites were hacked. To our knowledge, NASA has not observed any external, unauthorized access to their satellites.

The internet is occasionally used for distribution of x-band payload data received from the satellites to the end user. Hence, this communication channel cannot be an access point for unauthorized access if it had happened. Due to the layout of our communication systems it is not possible to access any NASA satellites from KSAT sources.

The US government, represented by NOAA, regularly inspects KSAT operation. Irregular activity has not been observed nor reported.

References to KSAT and Svalbard were removed from the commission’s final report because, according to a KSAT spokesman, the hacking allegations were “unsubstantiated and no evidence has been found”.

Despite this, the congressional committee report continues to argue that interference against the US satellites remains a threat. It says Chinese military doctrine advocates the use of techniques for disabling an enemy’s ground-based satellite control facilities during a time of conflict.

China is now among the top few space powers in the world. China’s leadership views all space activities through the prism of comprehensive national power, using civil space activities to promote its legitimacy in the eyes of its people, to produce spin-off benefits for other industries, and for military-related activities. For example, China appears to be making great strides toward fielding regional reconnaissance-strike capabilities. China has also continued to develop its antisatellite capabilities, following up on its January 2007 demonstration that used a ballistic missile to destroy an obsolete Chinese weather satellite, creating thousands of pieces of space debris.

As a result, in April 2011, astronauts evacuated the International Space Station out of concern of a possible collision with this debris.

In addition, authoritative Chinese military writings advocate attacks on space-to-ground communications links and ground-based satellite control facilities in the event of a conflict. Such facilities may be vulnerable: in recent years, two U.S. government satellites have experienced interference apparently consistent with the cyber exploitation of their control facility.

The report says links between supposedly secure control networks and the internet offer a soft underbelly that’s open to attack.

Malicious actors can use cyber activities to compromise, disrupt, deny, degrade, deceive, or destroy space systems. Exploitations or attacks could target ground-based infrastructure, space-based systems, or the communications links between the two.

Authoritative Chinese military writings advocate for such activities, particularly as they relate to ground-based space infrastructure, such as satellite control facilities.

Satellites from several U.S. government space programs utilize commercially operated satellite ground stations outside the United States, some of which rely on the public Internet for “data access and file transfers,” according to a 2008 National Aeronautics and Space Administration quarterly report.

The use of the Internet to perform certain communications functions presents potential opportunities for malicious actors to gain access to restricted networks.

Next page: Chinese whispers

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/21/us_sat_hack_mystery/

Gadget enthusiasts have managed to root the Nook Tablet.

The Android-based device, only unveiled by Barnes Nobles in the US last week, was pwned by the same group of developers who previously rooted the Amazon Kindle Fire. In both cases rooting the devices gives users the ability to install apps themselves, rather than been restricted to those offered by the manufacturer.

More details on how the Nook hack was carried out can be found on the XDA Developers forum, together with users’ mixed experiences, here. Not everyone can successful complete the rooting process though many can, suggesting that the script which pulls off the job may be either unreliable or (more likely) fiddly and in need of refinement.

The Nook Tablet is an eBook reader with a colour screen that also includes the ability to watch videos, view photos and play music. It includes Wi-Fi connectivity. Like its predecessor the device is only sold in the US, at least for now, because of a lack of distribution partners in either Europe or Asia Pacific. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/21/nook_tablet_rooted/

Google’s open-source program manager has launched an entertaining rant against firms offering mobile security software, accusing them of selling worthless software and of being “charlatans and scammers”.

Chris DiBona, Google’s open-source programs manager, argues that neither smartphones based on Google’s Android nor Apple’s iOS need anti-virus protection. Anyone telling you different is a snake-oil salesman, he said.

“Virus companies are playing on your fears to try to sell you BS protection software for Android, RIM, and, iOS,” DiBona said on Google+. “They are charlatans and scammers. If you work for a company selling virus protection for Android, RIM or iOS, you should be ashamed of yourself.”

He argues that smartphones are inherently more secure than PCs, while admitting mobile malware is not mythical but rather that it has rarely if ever caused much of a problem.

“No major cell phone has a ‘virus’ problem in the traditional sense that Windows and some Mac machines have seen,” he said. “There have been some little things, but they haven’t gotten very far due to the user sandboxing models and the nature of the underlying kernels.”

“No Linux desktop has a real virus problem,” he added.

It seems a report from Juniper Networks last week noting “exponential growth” in Android malware, blamed on the looser controls in the Android Market than those applied by Apple, provoked the Google guru’s splenetic outburst. DiBona doesn’t call out any of the mobile security charlatans he castigates so strongly by name but there’s no shortage of candidates.

Many anti-virus firms have branched out into offering security software for Android, including commercial products from Kaspersky Lab, F-Secure and Symantec. Lookout Mobile and AVG’s DroidSecurity offer basic protection software at no charge to consumers. Some security firms, Lookout and Intego, offer more basic security packages for iOS but without bundled anti-virus protection, which is not supported by iOS. Windows Mobile anti-malware is covered by the likes of F-Secure and others. Hardened Blackberry devices exist but we’ve never come across a firm offering BlackBerry security software as a stand-alone product as yet. Viruses targeting BlackBerry remain unknown.

Security firms said DiBona has misunderstood both the threat and the capabilities of their products. Kaspersky Lab said that cybercrooks are migrating towards Android as the platform increases in popularity. the main problem is Trojans, malicious applications that pose as something useful to a smartphone user, rather than virus. Kaspersky reckons one Trojan – DroidDream – has already infected infected 100,000 users.

Mikko Hypponen, F-Secure’s chief research officer, tweeted, “What @cdibona [Chris DiBona] is missing is that these tools do much more than just antivirus: Antitheft. Remote lock. Backup. Parental control. Web filter.”

Talk of exponential malware growth is justified but needs to be put into context, that the huge rise is coming from a base of almost nothing and that the raw figures remain trivial compared to the Windows virus plague. Specialist mobile security firm Lookout, for example, estimates mobile malware instances have more than doubled to nearly 1,000 over the last four months alone. Windows malware estimates routinely exceed 5 million and above. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/21/mobile_security_dust_up/