STE WILLIAMS

Web authentication authority GlobalSign, which voluntarily suspended operations last week while it investigated claims its security was breached, said it has uncovered evidence that one of its servers has been compromised.

“The breached web server has always been isolated from all other infrastructure and is used only to serve the www.globalsign.com website,” the authorized issuer of secure sockets layer certificates said in an advisory published this weekend. “At present there is no further evidence of breach other than the isolated www web server. As an additional precaution, we continue to monitor all activity to all services closely.”

The certificate authority went on to say that it’s in the process of bringing its systems back online and expects to begin processing orders on Tuesday.

GlobalSign’s notice that it was hacked comes two weeks after the discovery of a counterfeit SSL credential issued by disgraced certificate authority DigiNotar that was being used to spy on people in Iran as they visited Gmail and possibly other Google properties. Over the following week, an account holder on Pastebin.com published a file signed with the private key of the bogus Google certificate, proving he had close ties to the person or people behind the attack. The person claimed to have access to GlobalSign and three other certificate authorities, but provided no proof.

GlobalSign responded by temporarily suspending its operations while it investigated the claims. It brought in Dutch security auditor Fox-IT to assist. Fox-IT also worked with DigiNotar following its security breach.

With its admission, GlobalSign’s breach becomes at least the seventh time an entity that issues SSL certificates has been hacked this year. Four resellers of Comodo have been compromised, including one that allowed the attackers to mint fraudulent credentials for GMail and six other sensitive addresses. A similar attack hit Israel-based StartSSL, but the attackers didn’t succeed in securing the bogus certificates.

In March, the Pastebin account holder published a private key for the fraudulent Google certificate issued by a Comodo reseller, proving the individual also had close ties to at least one of those hacks.

Last week, Mozilla responded to the DigiNotar attack and its aftermath by requiring all certificate authorities included in the Firefox and Thunderbird programs to perform similar security audits and ensure that their systems use two-factor authentication when issuing certificates. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/12/globalsign_security_breach/

Cambridge-based PragmatIC has produced an NFC-enabled label with a build-in screen picking up power from the device reading the tag, surely worth £600,000 of anyone’s money.

The technology involves printing a tag with an embedded Near Field Communications transponder, but one that also incorporates a small screen powered by the same induced current used to run the transponder. The screen can only display one image, and only for a few seconds, but is thinner than a human hair and really cheap.

The screen is top right, and stays active for 2-3 seconds following a read

We mention the development cost of £600,000 as half the cash came from the UK Government’s Technology Strategy Board, which feeds money from the Department of Business, Innovation and Skills into the UK technology industry.

In this case the development was done by Cambridge-based PragmatIC and Hampshire’s DeLaRue – the latter being a big name in the secure-printing industry (found on chequebooks, credit cards and the like).

NFC tags draw power from the device being used to read them (be that an NFC phone or other reader). That power can be used to transmit an identity number or complete some sort of cryptographically secured challenge/response process, depending on the level of security required. The Remotely Activated Interactive Labels (RAIL) developed by PragmatIC uses that same power to light up the screen, which fades a few seconds after the power is removed.

It is possible to imagine a tag hanging on a piece of clothing that displays a logo only when the tag is read to prove that it’s genuine, and DeLaRue reckons this is comparable to the hologram that adorns credit cards to make them harder to copy. But we can’t help feeling that once you’re reading the NFC tag then the cryptographic challenge should weed out counterfeits a lot more effectively than a monochrome logo.

So it is a cool technology: an induction-powered screen which can be printed using conventional hot lamination processes and embedded in just about anything, now the companies involved just have to find something interesting in which to embed it. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/12/nfc_powered_screen/

The Federal Trade Commission has fined two developers who claimed their mobile apps could cure acne with flashing colour, but there’s still plenty of snake-oil on sale.

Colour therapy for acne does have medical credentials, but the FTC’s ruling is clear that the frequencies generated by a smartphone screen aren’t even close to what’s needed, making the claimed cures baseless and forcing the developers of AcnePwner (Android) and AcneApp (iPhone) cough up $1,700 and $14,294 respectively.

Around 3,300 Android users apparently shelled out 99 cents for AcnePwner, while 11,600 iPhone users had to pay twice that for AcneApp. Both applications asked users to hold the phone screen against the skin for a few hours every day, during which it would flash suitable colours: AcneApp even cited a report from the British Journal of Dermatology to back up its claims.

A little basic arithmetic shows that even after paying off the FTC, Andrew N Finkle (developer of AcnePwner) will be up more than $500, while Koby Brown and Gregory W Pearson (responsible for AcneApp) will be almost two grand in pocket – not as rich as they thought they were, but the fine wouldn’t be much of a deterrent either.

“Smartphones make our lives easier in countless ways, but unfortunately when it comes to curing acne, there’s no app for that,” says the canned quote from FTC Chairman, Jon Leibowitz, which is loverly except for the fact that there are still plenty of apps claiming to cure acne (and just about everything else) through secret diets, prayer and the power of subliminal messages.

Oddly enough, quack medicine seems less prevalent in the Android Marketplace, compared to iTunes, but while it would be great to attribute that to the gullibility of Apple users, it’s more probably a result of the size of the iTunes app store – after all, we know that iPhone users are already physically perfect specimens of humanity.

Apple did kick the psychic wart-remover out of the iTunes store, last year, so it will take action against wildly fraudulent claims. The two apps targeted by the FTC seem to have incurred its ire by claiming to apply a genuine therapy (colour treatment), making them too credible to be allowed to last.

But curing acne by positive thinking engendered through subliminal messages, for example, falls between the obviously false and the medically unproven, so such apps remain available for those who are short on snake oil. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/12/acne_cure_app/

Microsoft inadvertently published details of the patches it plans to publish on Tuesday following a slip-up by its security gnomes last week.

Patch Tuesday pre-alerts normally reveal little more than the applications Microsoft intends to update and the severity of the vulnerabilities addressed. However this month the software giant leaked details of the security holes it plans to close: five fairly run-of-the-mill updates that affect Office and Windows and have a maximum severity rating of “important”.

Vulnerability management experts and Microsoft are downplaying the significance of the leak.

Wolfgang Kandek, CTO of security outfit Qualys, commented: “While the information is interesting and certainly helpful for us (it makes life somewhat easier for our QA lab) I don’t believe there is any heightened security risk with the early exposure.”

“If the patches (i.e. the binaries) themselves had been revealed then indeed it would give attackers a 4-day head start,” he added.

Microsoft Security Response admitted the problem on its Twitter feed on Saturday, adding that it had deleted the text. “Some of you may have seen an early peek at Tuesday’s draft bulletin text, we’ve since removed the content,” it said. “Stay tuned for Tuesday.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/12/ms_spills_patch_tuesday_low_down/

Manchester City chief executive Garry Cook has resigned over allegations he sent an offensive email that made light of a cancer sufferer’s plight.

The email, meant for City’s director of football Brian Marwood, reached Dr Anthonia Onuoha, the mother of City defender Nedum Onuoha at a time she was both recovering from cancer and negotiating her son’s future at the club last October, The Guardian reports.

Dr Onuoha sent Marwood and Cook a message at the time stating that although she was “ravaged with cancer” she would still be negotiating on behalf of her son. She received a reply from the club in response addressed to “Brian”, that said: “Ravaged with it!! … I don’t know how you sleep at night. You used to be such a nice man when I worked with you at Nike. G.”

The email returned to embarrass the club 10 months after it was sent when Dr Onuoha went to The Sun to tell the paper of her hurt and distress.

Dr Onuoha told The Sun: “When I opened my emails and saw the message, it was the worst day of my life, even worse than being diagnosed with cancer. I couldn’t understand how anybody could behave like that. I just cried and cried for hours. I’m critically ill and at that point I was undergoing chemotherapy. I was just so shocked but I couldn’t tell Nedum or any of my family because I didn’t know how they would react.”

Cook initially claimed that an unidentified hacker had sent the contentious email, and that the culprit had been identified and disciplined. However an internal investigation by the club, which is seeking to build a global brand and sensitive of its reputation, dismissed this line.

Following the investigation, Cook admitted an “error of judgement” and tendered his resignation, which has been accepted, as a MCFC statement explains.

Cook is credited with doing a very good job during his three years at Manchester City, despite the occasional gaffe. For example, he built a shelter for supporters queuing outside the ticket office after seeing fans queuing in the rain.

His blunders included describing controversial former City owner Thaksin Shinawatra as a “great guy to play golf with”. He also raised eyebrows with claims that former world football player of the year Kaka “bottled it” in deciding not to move to Eastlands from AC Milan in January 2009. ®

Bootnote

We wouldn’t be surprised in the least if the incident was used to sell Data Leak Prevention technology, a filtering technology designed to block the accidental or deliberate extraction of sensitive content outside corporate boundaries, to Manchester City.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/12/man_city_boss_resigns_over_cancer_email/

A security breach has left several sites including the Irish Catholic defaced.

Atheistic hackers defaced the paper’s site at http://www.irishcatholic.ie/site on sunday with a message mocking religion that also fired barbs at a site admin.

The message, headed, You.Got.Taken (screenshot below), states: “The Irish Catholic – Ireland’s biggest and best-selling Catholic newspaper since 1888 is currently hacked We should be back shortly. Thank you for your patience. And wish you to continue beliveing in your false religion.”

“Gotta love false hope,” it adds.

Unusually the defacement goes on to criticise the administrator of the site by name. “Get your act together. Several large sites on one server? Not a smart move Aidan Murphy. Watch your data.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/12/hackers_deface_irsih_catholic_paper/

Cybercrooks have set up a web store that offers rented access to compromised machines on the TDSS/TDL-4 botnet.

The latest version of the TDSS botnet agent bundles a component that turns compromised machines into a proxy connected to awmproxy.net.

AWMproxy – which purportedly accepts payment via PayPal, MasterCard, and Visa – charges between $3 per day to $300 a week to would-be Baron Samedis who don’t have the nous to acquire their own zombies. The site even offers a Firefox add-on to customers, further dumbing down the process.

Applications including surfing the net anonymously with someone else’s IP address or launching cyber attacks, according to security blogger Bryan Krebs. Owners of infected systems used to send threats or view images of child abuse could find themselves in legal hot water.

TDSS/TDL-4 is one of the most sophisticated botnets to date. The malware behind the bot uses rootlet techniques to disguise its presence on infected systems.

Krebs did some digging on the public storefront behind the TDSS/TDL-4 bonnet. Google Analytics code embedded in the storefront homepage allowed Krebs to find sites with the same code. AWMProxy was established in February 2008 using the email adds [email protected], the same email address used to set up other hostile sites including pornxplayer.com and fizot.com.

The now defunct fizot.com was registered by Galdziev Chingiz of St Petersburg, Russia. Krebs found the [email protected] address was linked with a LiveJournal blog that discusses such matters as life in St Petersburg, earning megabucks and owning a Porsche sports car with a license plate number that includes the Number of the Beast: “666”. Fizot also maintained a YouTube channel that shows a Porsche car with the license plate H666XK [N666HK in the Cyrillic alphabet] zooming around a shopping mall parking lot.

Krebs concludes that although Chingiz may only be “tangentially related” to whoever set up the TDSS storefront he’s likely to know more about the main parties behind the operation. In apparent response to Krebs’ digging, Fizot deleted nearly all of the posts on his LiveJournal account and the YouTube videos. The solitary entry in the LiveJournal blog claims he sold the AWMproxy service some time ago, without providing any details.

Soon after publishing the article last week Krebs’ site and that of his service provider came under denial of service attack. The security blogger suspects resources on the TDSS/TDL-4 bonnet were used to launch the attack but this remains unconfirmed. Krebs’ site has since been returned to normal operations. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/12/tdss_rented_botnet_shenanigans/

Investigative reporter Duncan Campbell reflects how 9/11 has torpedoed resistance to intrusion and undermined privacy rights born of earlier struggles. It may, irreversibility, have changed the way we think.

9/11 was a savage nightmare that took too long to happen for some in the West.

For 12 fallow years, from the fall of the Wall to the fall of the Towers, there was a brief golden period in which no great common enemy menaced all unseen beyond the distant horizon. There was no simple spectre of fear on which to construct, fund and operate surveillance platforms, or reason to tap data funnels into society’s communications and transport arteries.

Through the ’90s, in debates about the control of communications and electronic security measures – amid a US-led hue and cry for government control of all cryptography (remember the “Clipper Chip“?) – the “what if” question hung always in the mouths of the proponents of more control. What if terrorists had a nuke? A new virus to plague civilisation?

But the bad guys largely stayed off stage. The inter-Irish conflict that had dogged the UK had subsided into a peace process. There was a global terrorist shortage.

Then the catastrophe hardliners had secretly longed for was on everyone’s screens, providing the justification for rafts of intrusive new surveillance measures. The common criminality that caused carnage in New York and Washington was elevated to a war that became the GWOT, the global war on terror that endures today.

It seems that on that day, and for the sake of that war, civil society’s power to control surveillance of the wired world has eroded, and with it the moral authority to impose controls on what shall be done in security’s name. The zeitgeist has changed.

Much aided and abetted by the internet giants‘ readily expressed contempt for privacy in the rush to monetise their customers and their customers’ data, the long-term legacy of 9/11 is that new generations are being schooled to no longer see or understand why control of personal information may really matter, and why in history it does and did matter.

“Warrantless wiretapping” of the internet and other intrusions have become a fact of life. When secret agreements made by the US National Security Agency (NSA) to access American telephone and cable networks started to become public in 2005, it was soon apparent that they had been made unlawfully, on the basis of questionable and undisclosed secret authorities from the Bush White House given after 9/11.

Privacy advocates fight back

But when lawsuits started by the Electronic Frontier Foundation and other privacy advocates started to gather traction, the rules were changed. Supported, sadly, by Senator Obama before his election, the lawmakers handed out get-out-of-jail-free cards indemnifying the communications companies and their executives from prosecution and lawsuits. GWOT was their trump card.

Once, we did understand. Twenty-five years ago, Independent science correspondent Steve Connor and I wrote a tome about Britain’s Databanks and the effect of growing data processing on civil society. Steve had located Britain’s first ever vehicle Automatic Number Plate Recognition (ANPR) device, a washing-machine-sized contraption planted on a motorway bridge near St Albans. It heralded the potentially tyrannical ultimate development of a nationwide movement surveillance. We both reached for and proclaimed words from early reviews of data protection laws that had warned that new sensors and new software such as free text retrieval (FTR) raised “new dimensions of unease”.

A quarter-century on, these words are all but unsayable. The thoughts no longer fit the world. Every sort of record is analysed in every way. A vast nationwide ANPR network is in place and growing every week, collating years of movement records in a Hendon database for potential analysis for any purpose. Every traveller, whether of current interest or not, has her or his movements logged. There was no parliamentary debate. Only on one occasion, in Birmingham, has an ANPR network been rolled back from a community targeted for intense surveillance.

For now, ANPR sensors placed around Britain’s roads remain marginally distinguishable from “ordinary” traffic cameras and CCTV (since they feature infrared illuminators and require at least one camera per lane). But that will change within less than a decade, as the signatures of these and other new surveillance devices vanish to invisibility.

For this writer, the political effect of 9/11 was immediate, personal and direct. Six days before the towers came down, the European Parliament had passed 25 recommendations for securing domestic and international satellite communications from the Anglo–American surveillance system known as Echelon.

I had uncovered and first reported on the Echelon network in 1988. It took a decade more for its significance to become widely known, mainly because of further investigation and revelations by New Zealand investigator Nicky Hager in his book Secret Power.

Although now widely mis-described in web chat as a generalised surveillance octopus, Echelon’s purpose and hardware was quite specific. In 1969, new receive-only satellite ground stations were built in Cornwall, UK and West Virginia, USA, and soon after around the world, to copy and analyse all international satellite communications.

That part of all international communications which was digital – communications addresses, data streams, faxes and telexes – were fed into early text-recognition software, the Echelon Dictionary, and then extracted and fed out.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/10/how_september_11_changed_our_world/

An Indiana man was sentenced to 14 years in prison for selling counterfeit payment cards that caused more than $3 million in losses.

Tony Perez III, 21, received the sentence on Friday, five months after pleading guilty to one count each of wire fraud and aggravated identity theft. He was also ordered to forfeit more than $2.8 million in proceeds and pay a $250,000 fine.

In his plea, Perez admitted he ran on online operation that sold payment cards encoded with stolen account information. He frequented underground carding forums, where he received stolen credit card information.

When the US Secret Service raided his apartment in June 2010, they found data for 21,000 stolen credit cards and equipment needed to encode them onto blank cards. Credit card companies said losses from the card numbers in Perez’s possession topped more than $3 million.

More from the Department of Justice is here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/09/carder_sentenced/

Rich people and public sector workers can now get the kind of network security that used to be reserved for military organizations.

Unisys is known mostly for its ClearPath mainframes and various outsourcing and other services that it sells to financial, transportation, and retail companies and various governments that buy its gear. But the company has been trying to leverage a set of network encryption technologies called Stealth – which was originally created for system security contracts with the US Department of Defense and NATO – and turn it into a new software product or service.

Unisys has talked about Stealth before, launching an appliance using the data encryption technology created for the military to secure the networks and storage used on public clouds back in July 2009. A few months later, in November 2009, the company debuted a version of the Stealth appliance to secure private clouds.

And now, Unisys is embedding Stealth network security in a USB stick that will allow anyone to plug this USB stick into any machine and access a set of application interfaces and networks addresses burned onto the stick – and do so over any network, including public ones, and do so securely.

Unisys, working with partner Security First, which created a program called SecureParser, which adds two layers of encryption and some packet obfuscation to data that is transmitted over a network – data in flight – or stored on a disk or flash drive – data at rest. The Stealth algorithms created by Unisys and Security First employ a technique called cryptographic bit splitting, which randomly breaks data down into bites, bytes, or blocks and then encrypts it as it is passed around the network or stored on media.

These chunks of data are parsed with one security key, and then the packets are wrapped up in AES-256 encryption using a different security key. The result is that even if you do deep packet inspection on data in flight, you can’t figure out how to reassemble it into its original form unless you know how the SecureParser works and have its key.

The Stealth encryption and obfuscation is the result of an RFP that Unisys participated in back in 2005 with the DoD, Mark Feverston, vice president of data security solutions at Unisys, tells El Reg. This RFP called for security to be managed by person or device, not by location on the network; had to run with applications unchanged; had to be maintained by people in the field; and it also had to be able to be run over public, private, and military networks – including enemy networks if it came to that.

The Stealth Secure Virtual Terminal (SSVT) USB stick is a device that complies with the US government’s FIPS-140 security standard for hardening electronic devices. It self-destructs (electronically, not explosively) if you try to tamper with it. The USB stick has three parts. The first is a custom ASIC that has been etched to run the Stealth cryptographic bit splitting algorithm.

Then there some ROM to hold encryption and bit-splitting keys as well as the custom splash screens and network IP addresses of the applications you want a user to be able to access once they plug into a machine that is attached to a network. There is a third chamber in the USB stick for an optional chunk of read/write flash memory, but Feverston says that a lot of customers don’t want to enable this feature. The Feds certainly don’t.

The SSVT USB stick has been rated at the EAL4+ Common Criteria security level so it can run on the NSA’s networks and is qualified to handle classified and secret materials (but not yet top secret stuff). It blocks screen scraping, downloading, and other capabilities on a PC and really only lets end users access the screens of applications on a precise network that are enabled in the SSVT.

Once initial use case that Unisys is peddling the SSVT to is for banking, giving the USB stocks to wealthy clients or treasury departments at corporations that need better security than a password or RSA dongle can give. The Feds are also interested in using SSVT to enable teleworkers that handle sensitive material.

Unisys will sell you the hardware and software stack to manage the Stealth network protection and burn you some USBs for your applications; it costs on the order of a half million dollars to set it up for 1,000 users, according to Feverston. Or you can run it as a service for $40 per user per month and let Unisys manage the Stealth encryption. You can’t use any of the Stealth tools in countries where the State Department has instituted export controls in retaliation for sponsoring terrorism or trafficking arms. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/09/unisys_secure_virtual_terminal/