STE WILLIAMS

A pair of petty thieves were hit with a conditional discharge after pilfering a load of fruit and veg from allotments in Cambridgeshire.

The light but grubby fingered vegetable rustlers were searched by suspicious cops across the road from allotments in Brampton, Cambs.

Lawrence Miller, 44, and Steven Randall, 46, were found to be carrying a bag of what appeared to be freshly harvested produce, the Telegraph reports.

The suspicious cops called out allotment holders for a roadside ID parade of the haul, which included two or three marrows, a butternut squash, leeks and cabbages. Other reports suggest there was also a quantity of rhubarb, beetroots and cabbages.

Allotment holders instantly ID’d their stolen veg, with one pointing to what the Telegraph described as “a marrow with a distinctive stripe”.

Kevin Warboys, defending Randall, told the court that both men were “day to day grinding along in extreme poverty” and had stolen the roots and fruits to feed their families. The pair were ordered to pay £20 compensation and £85 costs, and given a conditional discharge.

Allotment thefts are a growing problem in the UK, as rising food prices take their toll, and the middle classes discover the joy of dodging Waitrose’s organic price tags by having a few convenient rods on what would otherwise be wasteground.

Extremely smallholders have taken to starting allotment watches.

Your reporter has heard horror stories of entire apple trees being denuded overnight or entire plots of potatoes being turned over by callous thieves. He was told of one incident in Wimbledon where a veg rustler was chased by angry growers and cornered up a tree, only to insist he’d done nothing as: “It’s a community allotment, and I’m part of the community. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/09/allotment_thieves/

Computer games outfit Valve has suspended its Steam user forums following unconfirmed reports of a security breach.

Eurogamer claims that the official message board for Valve’s Steam online games platform, Steampowered, was “defaced” on Monday night shortly before the site was suspended.

It is believed the defacement involved inserting a prominently displayed message promoting a site called FknOwned.com, which offers video game hacks, as captured in a screenshot of the gaming site here. This wasn’t a simple case of link-spamming, but an out-of-place ostensibly promoted topic on the forum.

In addition, some gamers reported the receipt of spam emails promoting fkn0wned, supposedly from Steampowered.com. This would imply that hackers may have got their hands on email addresses or at least accessed a way to send messages via the Steampowered board, but this remains unclear.

The Steampowered forum remains suspended at the time of writing on Wednesday morning, with the usual discussion threads and information replaced by a holding message.

The Steam Forums are temporarily offline for maintenance. Your patience is appreciated.

There’s no evidence to suggest that Steam accounts have been breached. However in the absence of any official word from Valve on the incident, you can’t blame gamers from being more than a tad concerned.

The apparent breach of Valve’s online forum is the latest in a string of security slips affecting video game developers this year, the most notorious of which led to the weeks-long suspension of Sony’s PlayStation Network following a hack attack that exposed private information on million of users back in April. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/09/steam_forum_hack/

Lookout Mobile Security is going international with localised versions of its mobile security software and a partnership to pre-embed its technology in Android phones supplied by Telstra Australia, its first mobile telco partner outside the US.

The mobile security specialist already claims more than 12 million users across 170 countries but wants to expand its presence through forging partnerships with mobile telcos in Western Europe and other key markets, such as Japan. It already partners with Sprint, Verizon and T-Mobile in the US.

Each telco pre-embeds free versions of Lookout’s security software on Android smartphones they supply in return for a share of the income if and when these users convert to using a premium (paid-for) version of the software. The same technology also works on Android tablets.

Lookout branched out in October by offering a free of charge version of its software for iPhones and iPads. A premium version of the software may follow, but for now the firm is relying on sales of premium versions of its Android software to a largely consumer customer base. Company execs surprisingly declined to answer our question about conversion rates but did say that most of Lookout’s users get the basic versions of its software via Android or Apple app stores rather than bundled with their smartphones.

Freebie versions of Lookout’s technology offer basic data backup to the cloud (contacts etc) and find-my-phone capabilities, on both Android and iPhone, platforms as well as anti-malware on smartphones from Android. Anti-virus scans on iPhones are against the Jobsian faith, at least for the immediate future, and (in fairness) aside from a couple of worms from a few years back iOS malware doesn’t really exist.

Lookout Premium for Android comes with extra features including a safe browsing feature that warns about phishing or malware-tainted websites; Privacy Advisor, a tool that details whether personal information is accessed by each mobile app; and remote lock-and-wipe capabilities for £1.99 a month, or £19.99 a year.

The firm competes with the likes of DroidSecurity, an Israeli developer acquired by AVG last year, which marketed an ad-supported antivirus app for Android smartphones and tablets, now offered under the Antivirus Free for Android Devices and Antivirus Pro for Android Devices brand names. Traditional desktop anti-virus firms such as Symantec, Kaspersky Lab and others also market security suites for Android.

Just under half of the UK population now owns a smartphone, according to industry estimates. As mobile devices proliferate they are becoming a more attractive target for cybercrooks. Lookout estimates mobile malware instances have more than doubled to nearly 1,000 over the last four months alone. Much of this malware originates in either Russia or China, but targets people worldwide. For example, Lookout identified an Android Trojan, dubbed GGTracker, which is automatically downloaded to a user’s phone after visiting a malicious webpage that imitates the Android Market. The malware targets US victims, signing them up to premium rate SMS subscription services without their consent.

Estimates on PC malware numbers vary between vendors but invariably exceed three million or more.

John Hering, chief exec of Lookout Mobile Security, told El Reg that the crooks developing mobile malware are not always the same people who churn out malware for PCs, even though they are adopting at least some of the same tactics. Cybercrooks have developed their own software development kits for Android that allow them to produce smartphone malware strains more quickly, for example.

Lookout has no plans to expand onto BlackBerry or Windows Mobile. “The future for consumers is with Android and Apple,” Hering said. “We’re focused on consumers but we plan to move into the business market. We have the cloud based-technology but a management console still needs to be built.”

The international launch of Lookout on Wednesday comes in the middle of the UK’s annual Get Safe Online campaign week, which this year is focusing on the dangers of premium rate text scams that abuse malware-infected mobile phones.

Rik Ferguson, director for GetSafeOnline.org and of security research at Trend Micro, demonstrates how Trojan apps work (using a malware simulator) in an informative and hype-free video clip published by the BBC here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/09/lookout_mobile_security/

Analysis The public thinks that paying with a tap of the phone is risky, with criminals able to intercept and steal credentials, so it seems a good time to take a closer look at proximity payments.

Orange Quick Tap is already deployed in the UK; we used one to buy cookies in Inverness and they were delicious. In the US Google Wallet is already on the streets and can host a pair of payment schemes within its secure element.

But in order to understand how secure proximity payments really are, we chatted to Orange, Barclaycard and security biz Gemalto to gauge how confident they are that no one is going to pick pockets by radio.

Millions of UK credit cards already have pay-by-wave payment technology built in, and hundreds of thousands of retailers accept these proximity payments, but Gemalto (which makes the secure elements in SIM chips) found that only a third of the population knows what near-field communication (NFC) is. More than a third reckon they’d never pay by tap because they believe it will never be secure. Which is a shame, because it’s at least as secure as the alternatives, and it will come whether the public wants it or not.

How does it work?

Today’s proximity payment systems are based on the NFC standard, which uses a radio connection at 13.56MHz for short-range peer-to-peer communications. The same frequency is used by RFID tags, in a simplistic way, but NFC is a good deal more complicated, and expensive.

RFID tags are powered by the received radio signal, so various groups have demonstrated that by upping the radio signal strength they can read the tags at a considerable distance – 80 miles if some are to be believed. But NFC devices are a lot more complicated, and (critically) draw power from a wireless induction loop in the reader, not from the radio signal.

That’s important, because a radio signal can easily be amplified to increase the range, but running induction power over a distance of more than a few inches requires huge amounts of energy and an enormous loop. So anyone planning to interact with your NFC card, or phone, from more than a meter will probably have your hair standing on end and coins heating in your pocket.

Not that most would bother: snuggling up close is easy enough on public transport so getting within 10cm of your phone, or credit card, should’t be a problem.

But it’s not just a matter of getting close. The NFC component won’t communicate with just anyone, our miscreant needs to get hold of a legitimate reader – perhaps by registering as a merchant under a suitably false identity. That registration will provide a bank account for our thief to stash his ill-gotten gains, temporarily, though it also exposes our crook to considerable attention which will make it easier to track him down later.

Soft readers, which are smartphone apps that can operate as an electronic till, will come along soon enough, making it easier for our thief to nick cash. But even then the bank will only transfer money into a named account, so our swindler will have to have that set up and register it with the payment scheme.

But assuming creative use of a false moustaches and forged identity documents our man now has his fake merchant account and is right next to you, with a reader communicating direct to your pocket. Transactions are supposed to complete within 400ms so he won’t have to stand close for long. But far from just reading the NFC tag the process is comprised of a number of cryptographic steps which further complicate things for our chap.

Next page: How will I be protected?

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/09/proximity_payments/

TeamP0ison has lobbed a file on Pastebin which purports to be a few hundred e-mail accounts complete with passwords.

Or so it seems, for the first 23 accounts in the list, which cover addresses from the UK’s Ministry of Defense, Australia’s Bureau of Meteorology, the money-movement watcher Austrac, IP Australia, Liverpool Council, and the Fijian government.

After that, the scoop starts to seem a little less scoopy: the remaining 170, the dumb drop suggests, nearly all have the user’s first name as password and last name as username.

Somehow, that doesn’t ring true. While I’m willing to accept that not all MPs in Australia’s federal parliament are too smart to use a name as a password, I’m pretty sure the parliamentary system – which is under pretty constant tapping at least, to see if there’s a door left open somewhere – would enforce more rigorous passwords.

From that point of view, Hex00010’s paste looks as much a cock-up as a hack.

However, if (say) Wayne Swan wants to take a look at Senator George Brandis’ email, TeamP0ison apparently reckons Brandis is the username and George the password.

You just can’t get the staff, these days. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/09/teamp0ison_publishes_stupid_password_list/

Improved safeguards and greater resources for law enforcement are needed to tackle the related problems of cyber-bullying and online grooming, according to a report by an EU security agency published on Tuesday.

ENISA (the European Network and Information Security Agency) warned that the mishandling of personal information gathered using data-mining or profiling harms young people. It said private data exposed on the web might be subsequently seized upon and misused by bullies, online predators or crooks. This is obviously detrimental to anyone’s well-being and the development of children’s social skills.

Many parents lose control of their children’s online environment as they lack the knowledge and tools to support their offspring, ENISA notes.

Prof Udo Helmbrecht, executive director of ENISA, commented: “Our children run the risk of becoming victims of online grooming and cyber-bullying; therefore actions are needed to protect teenagers’ cyber activities.”

ENISA Expert Group on internet risks has come up with a list of 18 recommendations on how to tackle the twin problems of online bullying and grooming. The key recommendations include the need to strengthen law enforcement agencies in member states. Greater resources and manpower are needed to “properly cover regulatory issues, statistical data collection of misuse cases, and follow up on privacy breaches”, the group said. How to pay for increased manpower and resources for police at a time of Europe-wide economic crisis is not tackled by the report, however.

The EU agency would also like to sponsored online campaigns to prevent grooming and cyber-torment on social networks. It would also like to see specialised security settings and user account profiles for teenagers to cover their particular needs, plus better privacy and age-related controls for applications that have access to teenagers.

In addition, ENISA would like to see improved efforts to educate parents about cyber-threats. The full report, including an assessment of risks and recommendations to different target audiences, can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/08/eu_study_cyber_bullying_grooming/

November marked a light Patch Tuesday with just four bulletins, only one of which tackles a critical flaw.

All four advisories relate to problems in Windows. None is related to the zero-day vulnerability related to Duqu, the highly sophisticated worm reckoned to be related to the infamous Stuxnet pathogen.

The flaw exploited by Duqu involves flaws in the rendering of embedded TrueType fonts, something that might be exploited through maliciously formatted Word documents. Microsoft acknowledged the flaw last Thursday, releasing a workaround that disables the rendering of embedded TrueType fonts as a temporary fix, pending the development of a proper patch to plug the security hole.

A handy graphical overview of problems Microsoft is able to fix this month can be found at the SANS Institute’s Internet Storm Centre (ISC) here. ISC agrees with Microsoft that a flaw in the TCP/IP stack that “allows random code execution from a stream of UDP packets sent to a closed port” (MS11-083) covers the most sever threat in November’s patch batch. However it thinks a flaw in Active Directory involving potential failures in rejecting revoked digital certificates is almost as bad and also ought to be treated as critical, one notch up from Redmond’s assessment of the bug as only “important”.

Neither the Active Directory bug nor the TCP/IP stack flaw have been weaponised into exploits. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/09/nov_patch_tuesday/

Pressure mounted on Theresa May this morning after the UK Border Force chief Brodie Clark left the agency, claiming the Home Secretary was wrong to claim that he had relaxed passport checks without ministerial consent.

The row, ignited over the weekend, led to urgent questions being asked in the House of Commons on Monday and a select committee grilling of May yesterday regarding changes to various border control procedures during the summer.

MPs have been clamouring for answers from the Home Secretary about what went wrong. She claimed on Tuesday that “biometric tests were abandoned on a regular basis” without being authorised by the Cabinet minister.

A pilot, sanctioned by May, commenced in July to target what she described as “high-risk passengers” entering UK ports. However, she admitted on Monday that Clark had “authorised the wider relaxation of border controls without ministerial sanction”.

During the busy summer months, immigration border guards were told to ignore biometric chips on the passports of non-eurozone citizens. Staff were also told to stop cross-checking personal information and fingerprints against a Home Office database of terror suspects and illegal immigrants.

May told the House: “I did not give my authorisation or consent … as a result of these actions we will never know how many people passed through.”

Clark denied those claims today, and said via a statement issued by his union – the First Division Association – that he would be lodging a “constructive dismissal” complaint with the UK Border Agency (UKBA).

The senior civil servant said:

Those statements are wrong and were made without the benefit of hearing my response to formal allegations. With the Home Secretary announcing and repeating her view that I am at fault, I cannot see how any process conducted by the Home Office or under its auspices, can be fair and balanced.

The Home Secretary suggests that I added additional measures, improperly, to the trial of our risk-based controls. I did not. Those measures have been in place since 2008/09.

The Home Secretary also implies that I relaxed the controls in favour of queue management. I did not. Despite pressure to reduce queues, including from ministers, I can never be accused of compromising security for convenience.

This summer saw queues of over three hours (non-EU) on a regular basis at Heathrow and I never once contemplated cutting our essential controls to ease the flow.

On the trials, I have pressed since December 2010 to progress these and I was pleased when the Home Secretary agreed to the pilot arrangements. The evidence to support them is substantial and the early findings are encouraging.

I would do nothing to jeopardise them and I firmly believe that a more fully risk-based way of operating will offer far greater protection to the United Kingdom.

Clark technically hasn’t handed in his resignation to the UKBA of which his Border Force is a branch. Instead he said his position had become “untenable” following May’s claims, and added that he was “saddened” to see his career end so abruptly after 40 years of “dedicated service”.

The absent Border Force chief won’t be making any further comment until he appears before the Home Affairs Select Committee.

Meanwhile, the UKBA backed May yesterday evening.

“Brodie Clark admitted to me on 2 November that on a number of occasions this year he authorised his staff to go further than ministerial instruction,” said the agency’s boss Rob Whiteman. “I therefore suspended him from his duties.”

Whiteman added: “In my opinion it was right for officials to have recommended the pilot so that we focus attention on higher risks to our border, but it is unacceptable that one of my senior officials went further than was approved.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/09/uk_border_force_chief/

The Duqu malware that targeted industrial manufacturers around the world contains so many advanced features that it could only have been developed by a team of highly skilled programmers who worked full time, security researchers say.

The features include steganographic processes that encrypt stolen data and embed it into image files before sending it to attacker-controlled servers, an analysis by NSS researchers found. Using a custom protocol to hide the proprietary information inside the innocuous-looking file, before it’s sent to command and control servers, is a centuries-old technique used to conceal the exchange of sensitive communications.

Duqu is also the world’s first known modular plugin rootkit, the researchers said. That allows the attackers to add or remove functionality and change command and control servers quickly with little effort. The conclusion the researchers draw from their analysis is that Duqu is the product of well organized team of highly motivated developers.

“Given the complexity of the system (solid driver code plus impressive system architecture) it is not possible for this to have been written by a single person, nor by a team of part-time amateurs,” NSS researchers Mohamed Saher and Matthew Molinyawe wrote. “The implication is that, given the requirement for multiple man-years of effort, that this has been produced by a disciplined, well-funded team of competent coders.”

The modular design means that there’s a potentially large number of components that have yet to be discovered. NSS has released a scanning tool that can detect all Duqu drivers installed on an infected system. The tool doesn’t generate false positives and has already been used to spot two previously undetected Duqu drivers, the researchers said.

“We hope the research community can use this tool to discover new drivers and would ask that any samples be provided to NSS researchers (anonymously if preferred) in order to aid us in understanding more about the threat posed by Duqu,” they wrote.

The researchers echoed previous reports that Duqu contains many similarities to the Stuxnet worm used to sabotage uranium enrichment plants in Iran. The NSS analysis said Duqu uses similar code and techniques to those of Stuxnet, but they said there’s not enough evidence to say Duqu is derived from Stuxnet.

“Many researchers are claiming definitively that the Duqu authors had access to the original Stuxnet source code,” they wrote. “This has not been proven. It is possible for anyone to reverse engineer the original Stuxnet code to the point where it can be modified and recompiled.”

If at the end of all of this you’re left scratching your head, you’re in good company. Duqu’s state-of-the-art design and its resemblance to Stuxnet makes the malware worth watching, but with key questions still unanswered, it’s too early to know exactly what to think.

“There is no possible explanation for the production of such a sophisticated and elegant system merely to steal the information that has been targeted so far,” they wrote. “Why go to all this trouble to deploy a simple key-logger? Given that there are additional drivers waiting to be discovered, we can liken Duqu to a sophisticated rocket launcher – we have yet to see the real ammunition appear.” ®

Follow @dangoodin001 on Twitter.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/09/duqu_analysis/

Computer systems used to control federal prison facilities are riddled with vulnerabilities that might allow criminals to meddle with cell door opening mechanisms or shut down internal communications systems, according to security researchers.

The vulnerabilities – which stem from flaws in industrial control systems and programmable logic controllers – were demonstrated by a team led by John Strauchs, who demonstrated the flaws at the recent Hacker Halted information security conference in Miami. Despite having no previous experience with SCADA (industrial control) kit, Strauchs and his colleagues were able to develop workable exploits, validated using a test rig that cost just $2,500 to construct in the basement of his research partner, Teague Newman. Strauchs’ daughter – attorney, professor and computer security researcher Tiffany Strauchs Rad – also contributed in the research.

The resulting talk, SCADA And PLC Vulnerabilities In Correctional Facilities (abstract below), sounds absolutely gripping.

On Christmas Eve, a call was made from a prison warden: all of the cells on death row popped open. Many prisons and jails use SCADA systems with PLCs to open and close doors. Not sure why or if it would happen, the warden called physical security design engineer, John Strauchs, to investigate. As a result of their Stuxnet research, Rad and Newman have discovered significant vulnerabilities in PLCs used in correctional facilities by being able to remotely flip the switches to “open” or “locked closed” on cell doors and gates. Using original and publically available exploits along with evaluating vulnerabilities in electronic and physical security designs, this talk will evaluate and demo SCADA systems and PLC vulnerabilities in correctional and government secured facilities while recommending solutions.

The researchers have turned over a dossier on their findings to state and federal prison authorities, who have good reason to take its findings seriously. “We validated the researchers’ initial assertion … that they could remotely reprogram and manipulate [the ICS software and controllers],” Sean P McGurk, a former Department of Homeland Security cybersecurity director, told the Washington Times.

Possible exploits include overloading the electrical system that controls prison doors, locking them permanently open, or crashing either CCTV or prison intercom systems.

Strauchs began his project to investigate the security of industrial control systems in prisons after he was asked to investigate an incident during which all the cell doors on one (unnamed) prison’s death row spontaneously opened. The cause was eventually traced back to a random power surge, but the incident got Strauchs thinking and prompted him to have a closer look at the security of industrial control systems in prisons.

Industrial control systems in prisons have no business being connected to the internet. Despite this, the team of researchers led by Strauchs discovered every prison system they looked at was connected to the internet one way or another.

In some cases, for example, the internet connection was set up so that remote maintenance of the kit could be carried out without the need for contractors to visit the jail. In other cases networks used to enable prison staff to access the net were poorly segmented from SCADA control systems. Infected USB drives contaminated with a Stuxnet-style worm posed another, wholly unguarded infection vector. SCADA systems might be deprogrammed by malware of this type either accidentally or (more plausibly) by either bribing or blackmailing a prison guard. A targeted malware-infected email might also be used to introduce a SCADA worm into a prison environment.

“You could open every cell door, and the system would be telling the control room they are all closed,” Strauchs, a former CIA operations officer, told the Washington Times.

Anyone who got out of their cell this way would still have prison guards, dogs, guns and barbed wire to contend with if they hoped to escape. Strauchs said a more plausible scenario might be that the security weakness was exploited to slip assassins out of their cells in order to gain access to a targeted prisoner. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/08/scada_vulns_prison_jailbreak_risk/