STE WILLIAMS

‘Find My Car’ iPhone app finds anyone’s car

An iPhone app released a few days ago called “Find My Car” has just turned into a PR disaster for shopping centre operator Westfield.

The idea seemed neat enough: download the app, and if you lose your car, just enter the number plate, which Westfield’s cameras had captured and indexed. Someone forgetting where they’d parked their car can then be shown a photo of where the car is.

As blogger Troy Hunt points out in this blog post, anyone can view anyone’s car.

Worse, he writes, the application can easily be unpicked to download the location, plates, entry and exit times of every vehicle in the Bondi shopping centre in which the service was first rolled out.

Picking the application apart, he says, shows that Westfield is “storing and making publicly accessible the time of entry and number plate of every single vehicle in the centre.”

Moreover, he demonstrates that access to this data isn’t just confined to someone using the “Find My Car” app: it’s on “public display to anyone with an Internet connection”.

It’s even possible that the underlying Park Assist service has been handled carelessly for longer than Hunt believes, with code purported to be from Park Assist posted to pastie.org back in April.

Not surprisingly, the service is offline at the moment. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/14/find_my_car_fail/

Android banking trojan intercepts security texts

Developers of the SpyEye banking trojan have started bundling it with malware for phones running Google’s Android operating system to intercept text messages many financial institutions use to prevent fraud, researchers said.

The trojan known as Spitmo is SpyEye’s first in-the-wild malware to target Android, Ayelet Heyman, a researcher for Trusteer, wrote in a blog post published Tuesday. It’s offered to people already infected with the desktop version of SpyEye under the guise that Android phones must install security software to work with a bank’s online services. The SMS messages of those who take the bait are then continuously intercepted and sent to a website under the control of the attackers.

Heyman said Trusteer researchers who infiltrated a command and control server that stored the purloined data found evidence that very few people have been infected by the malicious Android app. But its discovery suggests that SpyEye designers are busy augmenting the trojan to get around a key defense many banks have adopted to thwart current generations of password-logging software: the use of one-time pass codes sent by text message to a customer’s phone. Trusteer uncovered Spitmo in late July after analyzing a computer that was infected by SpyEye.

SpyEye made its debut in December 2009 in Russian underground forums and has been drawing attention for its sophistication and moxie ever since. In February 2010, it was updated with a “ZeuS killer” feature that scanned computers it had infected for signs that they were already compromised by rival ZeuS banking trojan. When ZeuS was found, SpyEye removed it.

In January, researchers unearthed evidence that the source code for SpyEye and ZeuS had been merged, signaling competing developers had decided to join forces. More recently, SpyEye was caught tapping Amazon’s S3 cloud services for command-and-control support.

SpyEye’s Android component appears similar to a separate “man-in-the-mobile” app the banking trojan used to steal SMS messages from smartphones running the Symbian operating system.

For now, the smartphone components don’t appear to be making much headway. But with mainstream websites such as Google and Facebook using smartphone to deliver one-time passwords, it wouldn’t be surprising to see a proliferation of malicious apps that perfect the art of stealing SMS messages. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/14/spyeye_targets_android_phones/

Facebook security profiling doesn’t like African log-ins

A tip-off from a source has turned up an interesting quirk in Facebook’s security measures. He claims the social networking site appears to discriminate against log-ins from Africa.

Our tipster, Raj from Vancouver, Canada, has an interesting if unusual set of circumstances.

Raj runs a tech business and uses Facebook to connect with customers. But because he appreciates getting round-the-clock coverage and because he doesn’t want to spend all his time updating Facebook, he has employed freelancers in Singapore, India and most recently Kenya to sign in and update his profile for him.

He could use a Page or a Group. But Raj is using a personal profile for this venture and in order to let his freelancers access his account, he shares his password with them.

And the problem? Raj’s employees in Singapore and India were both able to log in and work for him, but Sam – Raj’s Kenyan employee logging in from Nairobi – was blocked so many times by Facebook security checks he was unable to do his work. This became a problem to the extent where Raj was considering employing someone else in a different country who woulddn’t have the same problems logging in.

Raj is in a funny situation here: not many Westerners hire Kenyans to update their personal pages for them… But it’s exactly the unusual circumstances of Raj’s case that has brought this particular Facebook quirk to light.

To go into a little more detail: the log-ins from India and Singapore were challenged – once – and accepted by Raj on a particular computer back in Vancouver that Facebook recognised. The challenge screens look like the one below. However, the Nairobi log-in was challenged and accepted four times in a row before Raj gave up on trying to get the Kenyan log-ins accepted permanently and engineered a workaround by setting up a VPN so that Sam’s IP address matched his in Vancouver and lost the Kenyan connotations that seemed to be causing Facebook so many problems.

Screen grab of the Facebook security page Raj encountered 4 times

Raj wrote about the annoyance that the hyper security checks caused:

On four (4) separate occasions this week, Facebook temporarily locked us both out of my account. This has not only repeatedly disrupted my authorisations from other applications and social media work, klout, Facebook messenger (now a vital communication piece), and Microsoft Outlook  integration, but it’s sucked a bunch of my time up, too! It seems only I can unlock my account from my office computer, so poor [Kenyan employee Sam] sits idle at night and then has to wait for me to come to the office in the morning to unlock the accounts. Can you say annoying? After jumping through Facebook’s little hoop four times, all I can say is can you get the hint, Facebook?

It’s good that Facebook challenge log-ins from unfamiliar places. Goodness knows we give it enough stick for not protecting our security. But why did it accept Raj’s confirmation of log-ins in Singapore and not the ones in Nairobi?

In a statement to The Register, Facebook admitted that it is more likely to block or question log-ins from geographical areas it considers suspicious.

A Facebook spokesperson told us:

We verify log-ins security based on the likelihood of a log-in from that geographic area being erroneous. If we spot a lot of suspicious activity from a particular IP address or area, we’ll take steps to make doubly sure that log-ins from that location are valid. If you log on from a new location, device, or we are wary of the browser you use, we’ll use additional security checks.

As Raj put it, before he figured out the VPN workaround: “I’d hate to turn him [Sam] to the door because of a social network that won’t let me inherently trust a whole country or ISP.”

In an informal briefing with Facebook the company hammered home the point that you should never, ever, according to article 4.8 of the Facebook TCs share your password with another person.

But people share passwords: couples do it, friends do it, people who run events or businesses do it too.

Officially, a Facebook spokesperson told us:

If you log on from a new location, device, or we are wary of the browser you use, we’ll use additional security checks. Doing so is a responsible way of keeping our users’ information safe and secure; it isn’t discrimination. Furthermore, this issue could be resolved by the user having multiple admins using their own profiles to manage a Facebook page rather than a profile. It is against our terms to allow more than one person access to an individual profile.

So this is profiling: the same as airport security guards choosing to search an Arab man rather than a white woman, or cops in Brixton searching a disproportionate number of black male teenagers – but in this case it was on the verge of costing a man his job.

Of course Raj could set up a Page. However there are several advantages to having a Profile on Facebook. It’s possible to convert a Profile into a Page and to save your contacts – people who were “friends” with you will automatically switch to becoming “fans” of your page. But photos and contacts are the only two things transferred over, so other content such as past updates, wall-to-wall conversations and messages will be lost.

Raj mentions that he uses Facebook instant chat to talk to clients and chat is not available to Page-owners. Generally, as a personal profile you can access a lot more information about the people you are connected to, and as a Page you can only see their public information and can’t for example write on their walls.

Facebook is very clear that there should be a distinction between businesses and people, but as Raj is aware there are some uses to being a person with friends rather than a Page with fans. The disadvantage is that Facebook might terminate you and your Facebook activity. That’s in their terms and conditions too. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/14/facebook_africa_log_ins/

Facebook lets users have separated social, er, Circles

Facebook slotted a new feature into the ubiquitous social network yesterday that immediately got the blogosphere arguing over whether the company was copying Google+ and its people-curating Circles function.

Zuckerberg’s people were quick to point out that Facebook was here way before Google got into the networking biz.

“Lists have existed for several years, but you’ve told us how time-consuming it is to organise lists for different parts of your life and keep them up to date,” said Facebook’s Blake Ross in a blog post announcing the tweak, which is an optional function.

He said the Palo Alto-based company had created something it dubbed “Smart Lists” to help its stalkerbase refine what they share with whom on the site.

“Want to see posts from your closest friends? Or perhaps you’d like to share a personal story with your family — without also telling all your co-workers,” said Ross.

“With improved Friend Lists, you can easily see updates from and share with different lists of friends.”

In other words, users have now been given pre-defined templates for how they share their Facebook profile with others on the network.

There are also separate “close friends” and “acquaintances” lists, allowing users to see less or more of individuals they are connected to on Facebook. It will also creepily offer suggestions for which “friends” should see what on a user’s profile.

Google+, which only launched in late June, is Mountain View’s latest attempt to get in on the social networking game. It offers a thing called Circles, a platform that, in effect, allows users to create networks within the network, allowing them to keep groups of acquaintances separate from one another.

Previously Facebook let its users get on with the business of working out how to block or restrict certain “friends” from viewing the content they shared on the site.

Now it has made that option simpler by creating lists that clearly define who should be shuffled into which pack on the site.

Meanwhile, Facebook confirmed via an email to its users that it is testing a feature that will switch off individual email notifications.

It still wants to spam people’s email accounts, however.

“Instead, we’ll send you a summary only if there are popular stories you may have missed,” said Facebook. “You can turn individual emails back on and restore all your original settings at any time.”

This means, even for those people who had turned off every individual email notification sent by Facebook, that another tick box has been automatically filled in for all users that states the following:

“You are currently receiving only important updates and summary emails about stories you may have missed. You can uncheck the box to restore your original settings and customise individual email notifications.”

Those not interested in receiving such a summary can switch off the option by going into their Account Settings and clicking on the Notifications side menu.

Separately, Facebook confirmed to The Register – but surprisingly not in an official blog post – that Messenger, a separate app linking messages in Facebook with texts, chats and emails on a mobile phone, is now available to users in the UK. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/14/facebook_smart_lists/

Feds probe eBay over Craigslist plunder allegations

US prosecutors have launched a criminal investigation into allegations eBay employees stole confidential information from Craigslist, according to a grand jury subpoena.

The two internet companies have been slugging it out in the civil courts for years, with Craigslist insisting eBay used its stake in the classified ad website to figure out how to launch its own rival service in the US, which it did in 2007.

The subpoena, issued in California, is looking for a load of information and documents, including some regarding eBay founder and chairman Pierre Omidyar, according to Reuters after it obtained a copy of the writ – which was issued on behalf of the US Justice Department.

An eBay UK spokesperson told The Reg today that the company will cooperate in “any inquiry related to disputes between eBay and Craigslist. eBay believes that Craigslist’s allegations against eBay are without merit”.

eBay launched its own classified ad site Kijiji.com, later renamed eBayClassifieds.com, in 2007. Craigslist immediately moved to have eBay’s representative taken off its board and dilute the online auction house’s 28.4 per cent stake in the firm to 24.9 per cent. A lawsuit brought by eBay in Delaware in response came down to a one-all draw, with Craigslist losing the dilution of the stake but winning on sending the board representative packing.

eBay wanted that to be the end of it, but Craigslist has its own suit in a Californian court alleging breach of contract and breach of fiduciary duty, among other issues – all hanging on the allegations that eBay misappropriated confidential information from Craigslist to use in launching its own classifieds site. That case is still open.

At the time of publication, Craigslist had not responded to a request for comment. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/14/ebay_criminal_investigation/

Report: Involve IT experts in releasing gov datasets

A review (84-page/927KB PDF) of information transparency and privacy commissioned by the Cabinet Office has concluded that IT experts should help decide whether to release datasets and the Information Commissioner’s Office (ICO) should have a greater technical awareness.

The review was led by Dr Kieron O’Hara, senior research fellow in electronics and computer science at the University of Southampton. In his report, O’Hara says the involvement of technology experts in a procedure for pre-release screening of data to ensure respect for privacy should be decided on a case-by-case basis. The procedure would include screening of user requests, consideration of potential privacy threats and the maintenance of a data asset register.

The register should set out which data sets were controlled, what they contain, and what decisions have been taken about their release, O’Hara proposes. It could be centrally curated, or kept by individual departments and agencies.

O’Hara said: “Technological developments have created so many imponderable problems… We need better institutions and conversations to screen data for the privacy implications of their release, and we need to include technologists in these conversations to a much greater degree than has historically been the case.”

The ICO has made “welcome strides” in recent months toward greater awareness of technical issues, the report says. In particular it has appointed a principal policy adviser in this area and created a technology reference panel.

But the document says that “the severe technical demands made by cutting-edge research in de-anonymisation means that more effort is needed in this direction”.

O’Hara says that these and other recommendations, such as creating sector transparency panels and publishing guidance for best practice on data.gov.uk, will allow the integration of privacy protection with transparency, and help preserve public confidence.

Cabinet Office minister Francis Maude said: “Over the past 12 months we have begun transforming the relationship between the public and the State.

“The public can now see how government spends its money, track crime in their area street-by-street, and hold ministers to account.

“The government is committed to ensuring that ongoing releases of data are done in a way that provides maximum transparency of data while applying the appropriate data protection safeguards.”

This article was originally published at Guardian Government Computing.

Guardian Government Computing is a business division of Guardian Professional, and covers the latest news and analysis of public sector technology. For updates on public sector IT, join the Government Computing Network here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/14/involve_it_experts_in_transparency_agenda/

Defendant presents Playmobil rendering of court in court

A Maltese woman accused of fraud and breach of copyright for flogging Playmobil dioramas on eBay earned herself a few pints on the El Reg Bootnotes department yesterday by turning up in court with a miniature rendering of her own trial.

Vicky Vassallo was dragged before the beak for selling “sets of Playmobil figures built into her own scenes”. Giving evidence, she admitted a 30-year obsession with the figurines, during which she travelled Europe to Playmobil fairs and battled with fellow Playmonutters to create the best diorama.

Vassallo claimed Playmobil promoted these competitions and awarded prizes for the best efforts. To demonstrate just what marvels can be conjured from the company’s wares, she then whipped out a Playmobil representation of her own trial, complete with “magistrate, the blonde deputy registrar, defence and prosecution”.

For the benefit of the chuckling court, and indeed those of us who have an interest in such things, Vassallo explained “how she assembled the model using different parts from various sets”.

She further indicated that Playmobil has no problem with this “customisation” process as long as people avoided unwholesome scenes of violence and the like.

Responding to questioning by Superintendent Carmel Magri as to the legality of her eBay operation, Vassallo said she didn’t need the nod from Playmobil to create and sell her sets, which were offered as second-hand goods.

Joe Giglio, defending, then got into the spirit of the occasion by asking Superintendent Magri what car he owned. The copper admitted to a nine-year-old Peugeot, which replaced a Skoda.

Giglio pressed the superintendent as to whether Skoda had authorised him to sell his previous motor, or indeed change its tyres. The truncheon fondler said no, but noted that “no official complaint was filed against him”.

The Vassallo trial comes a couple of years after two Maltesers were accused of selling stolen Playmobil figures, some of them modified to show “knights holding decapitated bleeding heads and arrows lodged in the heads”.

The figures in question allegedly came from Playmobil’s Malta plant. The British press was recently treated to a grand tour of the factory, but El Reg wasn’t invited – despite elevating our favourite figurines to hitherto unimagined heights.

We suspect this might have something to do with it, and possibly this, this and this. ®

Bootnote

Yeah, we know: Playmobil, or it didn’t happen. A Playmobil representation of a woman in court presenting a Playmobil representation of the same scene? Hmmm…

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/14/playmobil_evidence/

Celebs, victims selected to join in phone-hack probe

Former News International boss Rebekah Brooks will not take part in a judicial inquiry into culture, practices and ethics of the British press.

Brooks, who resigned from her job at NI in July after closing the “toxic” News of the World as allegations of widespread phone-hacking practices at the Sunday tabloid unfolded, had sought core participant status in the Leveson inquiry.

A list was published today confirming which individuals and organisations would be granted such status, following public submissions and written applications received by Lord Justice Leveson on 6 September.

“It is important to underline that part one of this inquiry is not concerned with the apportionment of personal or corporate responsibility,” said Leveson in his ruling.

He added, however, that he planned to keep core participant status submissions under review.

“If the inquiry proceeds along lines that cause me to consider that my view should be changed, I shall invite further representation. At each stage I will consider any application entirely on its merits,” Leveson said.

The inquiry will scrutinise three other areas: the press and the police; the press and politicians; and “the future”.

In July Leveson confirmed a wide-ranging probe into the relationship between the press and public and issues of press regulation. He has the power to force witnesses to attend hearings.

He said at the time that he would be investigating why the 2005 Motorman investigation by the Information Commissioner’s Office that highlighted what the watchdog described at the time as the “unlawful trade in confidential personal information” was never followed up.

As the scandal exploded at News International, which is the sister company of Rupert Murdoch’s News Corp, Prime Minister David Cameron backed calls for public inquiries into the “absolutely disgusting” phone-hacking allegations against the News of the World.

Cameron said at the time that he wanted inquiries not only into those claims against the tabloid but also into the original police investigation as well as consider broader journalistic methods employed by newspapers.

“We are no longer talking here about politicians and celebrities, we are talking about murder victims, potentially terrorist victims, having their phones hacked into. It is absolutely disgusting, what has taken place”, he said in July.

Core participants in this stage of the Leveson inquiry will include victims of press intrusion. Here’s the full list:

1 Chris Bryant MP

2 Tessa Jowell MP

3 Denis MacShane MP

4 The Rt Hon Lord Prescott of Kingston upon Hull

5 Joan Smith

6 Christopher Shipman

7 Tom Rowland

8 Mark Lewis

9 Mark Thomson

10 Gerry McCann

11 Kate McCann

12 Christopher Jefferies

13 Max Moseley

14 Brian Paddick

15 Paul Gascoigne

16 David Mills

17 Sienna Miller

18 Hugh Grant

19 Ben Jackson

20 Ciara Parkes

21 Simon Hughes MP

22 Max Clifford

23 Sky Andrew

24 Ulrika Jonsson

25 Mark Oaten

26 Michele Milburn

27 Abi Titmuss

28 Calum Best

29 Claire Ward

30 Mary-Ellen Field

31 Gary Flitcroft

32 Ian Hurst

33 Shobna Gulati

34 Mike Hollingsworth

35 Kieron Fallon

36 Ashvini Sharma

37 Tim Blackstone

38 Valatina Semenenko

39 Sally Dowler

40 Bob Dowler

41 Gemma Dowler

42 Sheryl Gascoigne

43 Graham Shear

44 JK Rowling

45 James Watson

46 Margaret Watson

®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/14/rebekah_leveson_part1/

UK cyber security plan delayed till October

The UK government’s Cyber Security Strategy publication for this year is now expected in mid-October, after being delayed until after the party conference season.

The Minister for Cyber Security, Francis Maude, was due to make a parliamentary statement on the strategy before the end of the month, but Thursday is the last day that parliament is in session before the MPs head off to their party conferences.

The strategy “was not quite ready for publication” in time, a Cabinet Office spokesman said, adding that it would be published as soon as possible after parliament returns at the start of October.

“As a tier 1 national security priority, it needs to be announced in parliament,” stated the Cabinet Office. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/14/strategy_not_ready_before_party_conference_season/

Securo-boffins call for ‘self-aware’ defensive technologies

Security boffins should concentrate on creating self-aware technologies that can learn from cyber attacks, summit experts say, proving that none of them have ever seen a movie about artificial intelligence.

Participants at the inaugural World Cyber Security Technology Research summit also reckoned figuring out how to protect smart grids and mobile networks should be top research priorities, according to their report.

The experts were particularly concerned about the damage from smart grid hacking:

Smart utility grids have, for a variety of reasons such as their size and accessibility, a raised susceptibility to cyber attacks. Such attacks can destroy national critical infrastructure and the need for smart grid cyber security is therefore imperative.

And if the thought of your electricity, gas and water in the hands of hackers wasn’t enough to freak you out, they also mentioned they want security technologies that can think for themselves to protect us:

Research objectives in this area would include the development of cyber security technologies which have self-learning capabilities; self-awareness in cyber systems enabling early attack detection and self-configuration to defend against an attack; the establishment of feedback in cyber systems providing the capability of learning from cyber attacks.

So, just to be clear then, if these technologies did go rogue (and let’s face it, they probably would) their top capability would be learning how to defend themselves from attack. Maybe the cure is worse than the disease…

Apart from dread scenarios of doom, the specialists are also worried about the security of mobile networks given the rapid uptake of smartphones worldwide.

“This issue will only increase due to convergence in mobile architectures and the number of mobile users – five billion compared with 1.5 billion on the internet,” said Patrick Traynor, associate professor at Georgia Tech. “Malicious behaviour will simply follow utility – as mobile phones become the dominant computing platform, the expectation must be that they will be regularly targeted.”

The report also said that technology alone wouldn’t be enough to fight cyber crime:

Next generation cyber security research must take into account social, political, legal and economic aspects of this space. Social behavioural norms in cyber space need to be investigated, societal desires such as trust, safety, freedom and privacy must be examined, and attitudes to cyber security in source countries of cyber attacks should be studied.

The Centre for Secure Information Technology (CSIT) hosted security experts from the UK’s Home Office, US Dept of Commerce and the awesomely-named US Cyber Consequences Unit as well as universities, defence and IT companies at the summit in Belfast earlier this year. The resulting report (pdf) was published yesterday. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/14/self_aware_cyber_security_technologies_should_be_a_top_priority/