STE WILLIAMS

The US government has once again outdone its peers in requesting that Google turn over user data for use in criminal investigations, with almost 6,000 demands in the first half of 2011, a 29 per cent increase from the previous six months.

The 5,950 requests that US law enforcement agencies filed with YouTube and Google sought data on 11,057 users or accounts, the company said in its Transparency Report, which the company releases twice a year. Raw data is available here. That compared with 4,601 requests issued from July through December of 2010.

Google said it complied with 93 percent of the requests in the most recent period.

The country submitting the second-highest number of requests was India, with 1,739 requests covering 2,439 users or accounts. UK law enforcement agencies issued 1,273 requests covering 1,443 users or accounts.

Google said it received 92 requests to remove data from its services. The requests asked that 757 separate pieces of content be removed. Among them were requests from two separate agencies to remove a video purported to show police brutality and video footage said to be defaming law-enforcement officials. Google refused both requests. In all, Google said it fully or partially complied with 63 percent of such requests.

In an accompanying blog post, Google Senior Policy Analyst Dorothy Chou renewed calls to updated the 25-year-old Electronic Communications Privacy Act, which allows government investigators access many forms of electronic records without a warrant.

Google is the only major internet company that issues a Transparency Report. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/26/google_transparency_report/

A top US government official believes that the internet is under fierce attack by authoritarian governments worldwide, and that the situation is rapidly deteriorating.

“Today we face a series of challenges at the intersection of human rights, connected technologies, business, and government. It’s a busy intersection – and a lot of people want to put up traffic lights,” said US Assistant Secretary of State Michael Posner, speaking at the Silicon Valley Human Rights Conference in San Francisco on Tuesday.

While the so-called “Arab Spring” may have proved the power of the internet to inform and unite repressed populations – an idea that Google’s public policy honcho dismissed as “hype” – Posner believes that it also awakened repressive governments to the need to more tightly control communication among their citizens.

“The result has been more censorship, more surveillance, and more restrictions,” Posner said.

Michael Posner, US Assistant Secretary of State for Democracy, Human Rights, and Labor

In the past, those governments were content to set up firewalls to block content they disliked – or feared – from coming into their countries. Now, Posner said, they’re using many more – and more sophisticated – tools, including deep-packet inspection and key-logger software.

“They are exerting over-broad state control over content, users, and over companies,” he said, “and they’re trying to change national and international legal standards to legitimize it all.”

As an example of an attempt at usurping control, he cited an effort at the UN last month in which China and Russia were joined by Tajikistan and Uzbeckistan in an effort to impose what Posner called “an international code of conduct for information security.” According to Posner, that effort – if successful – would “shift cyberspace away from being a multi-stakeholder, people-driven model, to a system dominated by centralized government control.”

Iran, for example, hides its internet-controlling effort under the warm, fuzzy, Muslim term “halal internet“. Posner also warned against various groups’ calls for a “hate-free internet” – whether it be well-intentioned or motivated by a desire for thought control.

And as information communications technology moves ever deeper into less-developed countries, Posner sees the problems increasing. “These are the places where repressive regimes are getting hold of the latest, greatest Western technologies and using them to spy on their own citizens for purposes of silencing dissent,” he said. “Journalists, bloggers and activists are of course the primary targets.”

From his point of view, governments in some of these emerging markets “appear fiercely determined to control what people do online”

Tweets without Twitter

Directing his remarks to the industry members in his audience, he suggested that they stay in touch with the other half of the crowd: activists, journalists, and bloggers who can provide early warnings of oppression and surveillence. Those worthies, Posner said, are “the canaries in your coal mine.”

He noted that “for the record, I offer that same advice to the very governments who often shoot the instant messenger by going out and jailing bloggers instead of listening to the valuable information they convey.”

The private sector has a reponsibility to defend personal freedom, Posner said – adding that “the private sector is more powerful than ever.”

He praised the vibrancy of the tech sector, and of its global reach. “Many people here have made it their life’s work not only to develop transformative technologies but also to put them in the hands of people in places where digital empowerment is leaps ahead of political or financial or educational empowerment,” he said. “Never have great ideas gone from dream to global distribution so quickly.”

But it’s not enough to make great products. Creative minds also need to protect the freedom of the internet. “So I challenge each of you to work with us to help figure out what can happen next, what must happen next, to preserve the Internet as we know it,” he said. “Or the autocrats will figure it out for us.

After all, he said, “With great code comes great responsibility.”

A full transcript of Posner’s remarks can be found on the US State Departmet of State website. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/26/michael_posner_at_svhrc/

Hopes of building an uncrackable cryptographic system using quantum mechanics have been called into question, after scientists devised a way to cheat a test used to detect secret keys that have been intercepted.

By blinding detectors with laser beams, the scientists were able to defeat what’s known as the Bell test. In theory, the test is supposed to show when a quantum encryption key shared between two parties has been intercepted by an eavesdropper. In principle, it’s impossible for a third party to tamper with it without disturbing its entanglement, a property that’s measured by the Bell test.

“There have been some strong statements about quantum cryptography being robust against any attack,” an article in Nature quotes Christian Kurtsiefer, an expert of quantum optics at the Center for Quantum Technologies of the National University of Singapore, as saying. “But it isn’t that simple.”

The attack works by shining a laser beam at a detector used by one of the parties sharing the key and intercepting some of its photons. The laser temporarily blinds the detector, allowing the attacker to register faked correlations. In theory, the Bell test should be able to recognize the counterfeit readings, but the difficulty of getting the test to work in practical settings requires scientists to discount a certain number of mismatches in the test results.

The findings appear in Physical Review Letters. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/25/quantum_crypto_attack/

Sensitive data belonging to 480 lawmakers and their staff may have been exposed for more than a month, after computers in Japan’s Parliament were infected by malware, it was widely reported on Tuesday.

The data-stealing trojan compromised computers used by three members of the Lower House, and possibly a server, The New York Times said. It gained a foothold after a lawmaker opened a file attached to an email at the end of July, Japan’s Asahi Shimbun newspaper reported.

The compromise gave attackers access to email and documents possessed by the chamber’s members until late August, Asahi said, citing unnamed sources. The trojan caused hijacked machines to communicate with a server located in China.

The reports came a day after Asahi published an article claiming that a previously reported attack on the network of a Japanese maker of sensitive weapons systems exposed plans for fighter jets and other defense equipment, in addition to nuclear power plant designs and safety plans. The attackers, who included simplified Chinese characters in their code, infected 83 computers and servers at 11 locations.

The Lower House Committee on Rules and Administration convened a meeting on Tuesday and agreed to set up a headquarters at the secretariat to investigate the case. A parliament official said the Cabinet Secretariat’s information security center and police, are looking in to the case. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/25/japan_parliament_hacked/

When RSA’s network security was breached earlier this year, the result wasn’t only the replacement of its SecurID tokens all over the world.

At the time, specialists believed that similar techniques could have been deployed against other victims who mostly didn’t go public. Only a handful of stories confirmed the use of information gained in the “RSA hack” to other targets – such as Lockheed-Martin and L-3 Communications.

Now, Krebs On Security has published a list of networks that carried attack traffic of some kind, either because hosts on the networks were compromised, because malicious traffic traversed the networks from other sources, or because researchers were building infected machines to observe their phone-home behaviour.

Most of the command servers were in China, he writes, with a handful in South Korea, the USA, Brazil, India, Italy, Pakistan and the UK.

As Krebs notes publishing the list, it has to be interpreted carefully. It would, for example, be unfair to assume that Trend Micro or Cisco’s IronPort business were compromised when they were more likely to be researching the attacks. Even so, his report states that around 20 percent of America’s Fortune 500 companies are on the list (keeping in mind, however, that some of those are the likes of Cisco, or telcos whose networks weren’t compromised but whose customers were).

The analysis is based on sources of traffic being sent back to the control machines used in the attack against RSA, and identified traffic sources by their AS names (that is, the names by which the networks advertise their routes).

Krebs notes the presence of names like Facebook, Amazon and Wells fargo on the list, as well as government departments in several countries, and a bunch of academic networks.

The Register’s scan of the list for Australian companies only identifies carriers (AAPT, Amnet, Pacific Internet, Macquarie Telecom, Telstra, TPG Internet, Westnet, Verizon Australia and Optus subsidiary Uecomm among them) and data centres (Micron21). ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/25/rsa_attak_list_leaked/

A senior general has said that cyberattacks represent the biggest threat to national security, warning that British firms routinely lose commercially sensitive information to overseas rivals as the result of hacking.

Major General Jonathan Shaw, head of the Ministry of Defence’s cybersecurity programme, claims that hacking cost the UK economy £27bn. An MoD spokesman helpfully explained that the figure comes from a report by Detica, commissioned by the Cabinet Office and published back in February.

This report guesstimated that businesses lost £21bn to hackers, while UK citizens were left £3.1bn out of pocket and the government lost £2.2bn. Around a third of the £21bn cost to business was due to industrial espionage, such as stealing designs or commercial secrets. Around £1bn was lost through theft of customer data. The hardest-hit sectors were pharmaceuticals, biotech, electronics, IT and chemicals.

Reliable figures on cybercrime are notoriously hard to come by, and what figures there are frequently get used by vendors to push security sales or to persuade politicians to invest more in cybersecurity. The government earmarked an extra £650m for improving cyberdefences. Maj Gen Shaw seems to be arguing not for more money but rather for a greater focus on credible threats rather than movie plot scenarios, such as hackers taking down power grids.

“The biggest threat to this country by cyber is not military, it is economic,” said Maj Gen Shaw, a veteran of the Falklands War and Iraq, told The Daily Telegraph.

“The cyberthreat could affect anyone, and we all need to take measures to protect ourselves against the threat it poses.”

An unnamed Warrington firm designed a “revolutionary blade for wind turbines [but] went bust after hackers stole the blueprint and produced a cheaper version”, according to Maj Gen Shaw.

“If the moment you come up with a brilliant new idea, it gets nicked by the Chinese then you can end up with your company going bust,” he said.

Maj Gen Shaw emphasised improving basic security defences at corporate level, such as improved password security and patching, in order to make life more difficult for foreign cyberspies. He avoided mentioning any offensive capability the UK might be developing.

Christophe Bianco, general manager, EMEA at Qualys, backed the general’s call for improved “cyberhygiene”.

“In the last 18 months, we’ve seen a significant increase in the amount of security breaches hitting companies, with many pointing fingers at competitors and foreign governments,” Bianco said. “Many of these are being dubbed as Advanced Persistent Threats (APTs), implying that they are very technical, sophisticated threats for which organisations are unable to equip themselves against.

“In fact, a large percentage of these attacks could have been prevented by taking simple measures as part of a proactive security strategy, referred to in the industry as having ‘good software hygiene’ – which Maj Gen Jonathan Shaw refers to. It’s now imperative that a company, no matter its size, industry or location, put into place robust security measures to protect their expertise and data.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/25/cyberespionage_menace/

Video The password protection of an iPad 2 running iOS 5 can be circumvented in less than five seconds with just three simple steps.

Bypassing the unlock screen on iPad 2 can be accomplished by first pressing the power button until the power-off screen is displayed. Users then need only to close and reopen the fondleslab’s ‘smart cover’ before, finally, pressing the cancel button to unlock the device.

After dodging the password protection, you can access the foreground application running at the time the device was locked, potentially exposing corporate email in the process. You can’t use the home button, so access is limited to foreground applications. As enterprise IT blog BringYourOwnIT.com notes, one obvious workaround would be to instruct users to close any foreground application before locking their iPad.

Below is a video posted by BringYourOwnIT.com illustrating the easy unlock process.

The security weakness comes days after it emerged that locked iPhone 4S could be accessed using Siri, the voice-activated personal assistant built into the device. There’s an easy way for security-conscious users to disable Siri when their phone is locked but this option isn’t applied by default, net security firm Sophos reports. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/25/ipad_password_sec_bypass/

An employee of the Israeli Social Affairs Ministry has been arrested on suspicion of copying the personal details of nine million citizens listed in the population registry, according to the Justice Ministry.

The Justice Ministry’s Law, Information and Technology Authority (LITA) announced on Monday that they had arrested six suspects in connection with the theft in 2006, and subsequent distribution, of the personal details from the registry, which included the names and details of minors and deceased citizens, according to Israeli news reports.

LITA said the employee stole the information, which included names, identification numbers, addresses, birth dates and relationships, and kept a copy of it at his home. After the man had been let go from his job, he gave a copy of the stolen data to a business associate, who passed it on to other people, who also passed it on, until it reached someone who created a software program called Agron 2006 with the information.

The Agron 2006 program allowed users to query the information of any of the listed citizens and was widely available to the public on file-sharing websites. According to the Justice Ministry, a website was even created to explain how to use the program and encourage others to distribute the information.

LITA investigations’ department chief attorney Mili Bach said that “the online availability of the Population Registry and the Agron program was, for years, a blatant testimony to the intolerable gap that exists in Israel between the daily reality and the state law”, according to Ynetnews, the English-language sister-site of Ynet, a popular Israeli news website.

However, the suspects in the case also told Ynetnews that the Agron program was used by everyone, including legal firms and businesses.

“What’s so secretive here? This information can be found in the Yellow Pages and a thousand other places,” one of the suspects told the news site.

“This is a very popular database. I noticed that a lot of people had it, so it didn’t occur to me that having a copy was prohibited,” another suspect said. “I thought it was a basic names and addresses database. I didn’t think it had sensitive or secret information.”

Attorney Gil Dahoah, representing one of the suspects, also said that the population registry had been available to anyone for years and the state had not barred its use until now. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/25/personal_data_of_nine_million_online/

The newest version of Google’s Android mobile operating system has been upgraded to make it harder for hackers to hijack handsets by exploiting code errors in the underlying code.

Android 4.0, aka Ice Cream Sandwich, has added a mitigation known as ASLR, or address space layout randomization. It works by routinely changing the memory locations where software components are loaded. As a result, it’s much harder for attackers to execute malicious code even when they’ve identified an otherwise serious vulnerability because they don’t know where Android will load their exploit’s payload.

Microsoft Windows, Mac OS X and Apple’s iOS rely on ASLR to minimize the risk of someone successfully attacking a system when targeting flaws that are inevitable in every complex piece of code.

“Android 4.0 now provides address space layout randomization (ASLR) to help protect system and third party applications from exploitation due to memory-management issues,” a note posted to the Android Developers blog said.

Ice Cream Sandwich has also been upgraded to more securely manage private keys used to encrypt data and authenticate websites.

“Any application can use the keychain API to install and store user certificates and CAs securely,” the blog post said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/25/aslr_comes_to_android/

A leading computer scientist has warned that the latest so-called Trusted Computing proposals may restrict the market for anti-virus and security software.

Cambridge University Professor Ross Anderson warns that the secure boot features in the UEFI firmware specification – understood to be required on certified Windows 8 machines – might even make it easier to smuggle state-sponsored trojans onto victims’ machines.

The secure boot system is designed to stop malware from being introduced into a computer’s boot sequence – but without the secret cryptographic keys, the firmware will also block non-harmful code, such as non-Windows OSes and legit anti-virus software.

“Building signed boot into UEFI will extend Microsoft’s power over the markets for AV software and other security tools that install around boot time; while ‘Metro’ style apps (ie, web, tablet and HTML5-style stuff) could be limited to distribution via the MS app store. Even if users can opt out, most of them won’t.

“That’s a lot of firms suddenly finding Steve Ballmer’s boot on their jugular.”

Anderson – who previously criticised UEFI (the Unified Extensible Firmware Interface) for making it “impossible” to run “unauthorised” operating systems such as Linux and FreeBSD on Windows 8 PCs – argued that the technology could make life easier for intelligence agencies at the expense of ordinary users.

“If the Turkish government compelled Microsoft to include the Tubitak key in Windows so their intelligence services could do man-in-the-middle attacks on Kurdish MPs’ Gmail, then I expect they’ll also tell Microsoft to issue them a UEFI key to authenticate their keylogger malware,” Anderson writes.

“Hey, I removed the Tubitak key from my browser, but how do I identify and block all foreign governments’ UEFI keys?”

The cryptoguru added: “Our Greek colleagues are already a bit cheesed off with Wall Street. How happy will they be if in future they won’t be able to install the security software of their choice on their PCs, but the Turkish secret police will?”

Anderson’s latest criticism of UEFI on the Light Blue Touchpaper blog is here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/25/secure_boot_criticism_reloaded/