STE WILLIAMS

Diebold has taken the wraps off a prototype for a bank ATM that uses virtualisation technology.

Relying on remote servers instead of in-built computing resources reduces complexity while offering greater reliability and security. Diebold described the prototype as a “game changer” and part of its roadmap to make greater use of cloud-based technologies in cash machines and self-service kiosks.

“Virtualisation will fundamentally change the way Diebold – and its customers – deploy solutions to the marketplace,” said Frank A Natoli Jr, vice president and chief technology officer at Diebold. “It enables unified management of a wide array of services and paves the way for orchestration of multiple channels.”

He added: “This development is an important milestone on Diebold’s roadmap to leveraging cloud computing technology in the retail financial space.”

The virtualised ATM prototype was developed by Diebold in conjunction with VMware, which said that the kit illustrates that virtualisation has plenty of applications outside its traditional home in the datacentre. Diebold wants to recruit banks to set up sites for a virtual ATM proof-of-concept study.

Virtualisation removes the onboard computer from the ATM, tying each terminal single server running many “virtual” ATMs. This consolidation allows greater control and therefore better security, at least in theory. Far from offering a single point of failure, this approach would also allow faster failure recovery and more rapid software upgrades and services deployment, leading to an overall increase in ATM uptime, according to Diebold.

Diebold’s demonstration terminal at VMworld 2011 also showcased biometrics for enhanced security and near field communications (NFC) technology. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/02/diebold_virtual_atm/

Google’s reputation for sound judgement took a serious knock last year when it emerged it was mulling a $6bn bid for Groupon. The web voucher sensation is running on exhaust, and racing towards an IPO before faith and cash reserves expire. Legal issues lurk beneath the surface, and Groupon needs merchant partners to keep buying into the idea – and that depends on long-term conversion rates. Many are unhappy.

In other words, it looks like a classic flash-in-the-pan – and Facebook agrees, knocking its own Facebook Deals effort on the head after a four-month test. Yelp is pulling out too, with founder Jeremy Stoppleman telling the FT he “had heard consistently from certain categories of businesses – very popular ones, I’m afraid – that daily deals are uneconomic for them, which does raise questions around the sustainability of ’50 per cent off’ daily deals for these types of businesses.”

Instead, the Chocolate Factory decided to build one itself, acquiring a cheap rival along the way last month.

On Wednesday, Google even broke its 13-year tradition of minimal UI design by splattering a “Google Offers” deal across its famously clutter-free front page. The first offer touted admission to the American Museum of Natural History ($25 ticket now $5!). Is this wise?

The spam – for that’s really what it is – is supposed to indicate that Google is deadly serious about the voucher business. And it does have one trick up its sleeve in Android, with its support for NFC.

In a perfect Google World, no digital pixel is left unmolested by a Google advertisement. The era of personalised, Minority Report-style spam can’t be too far away. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/02/google_groupon_webpage_spam/

A Peeping Tom webcam sextortionist has been jailed for six years after targeting several young women.

Luis Mijangos, 32, a resident of Santa Ana, California, was imprisoned on Thursday after he was convicted of hacking into more than 100 computers, using stolen personal information, to blackmail his young female victims into posing for sexually explicit videos and pictures.

Mijangos, a freelance computer consultant who is confined to a wheelchair, used malware to compromise victims’ machines. In one case he posted naked photos of a woman on her friend’s MySpace page. In another he posed as a victim’s boyfriend in order to trick her into posing for revealing pictures.

Mijangos used modified versions of remote access tools, such as Poison Ivy or SpyNet, which he planted onto file-sharing networks or sent to victims disguised as video clips or songs so that he could gain compromised access to their PCs, Computerworld reports.

The case is the latest in a long list of prosecutions of voyeurs who used computing technology to abuse victims. For example, Adrian Ringland of Ilkeston, Derbyshire, was jailed for 10 years back in 2006 after he was convicted of using spyware to take explicit photos of kids using compromised access to computer webcams. In 2008, a 47-year-old Cypriot got four years for taking illicit snaps of a teenager after he planted Trojan horse spyware to gain remote control of the 17-year-old’s webcam. More discussion on the issue and advice on possible countermeasures (use anti-malware and, if in doubt, disable webcams) can be found in a blog post by Sophos here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/02/wheelchair_bound_webcam_pervert_jailed/

WikiLeaks published its full cache of unredacted US diplomatic cables on Friday.

The decision to release the 251,287 US embassy cables in searchable format follows in the wake of revelations that a book by a Guardian journalist published in February disclosed the secret key to the raw archive file which became available on file-sharing networks. WikiLeaks made the decision to release the archive in full following an internet poll on its Twitter followers whose results supported the move.

“Given that the full database file is downloadable from hundreds of sites there is only one internally rational action,” WikiLeaks said, adding that it wants to use crowdsourcing techniques to hunt for juicy nuggets in the vast treasure trove of information.

“Tweet important cable discoveries with #wlfind. The entire world press does not have enough resources and there are substantial biases,” it said.

The Guardian strongly condemned the move saying that the unredacted documents identified activists and US intelligence agents, leaving them at risk of arrest or retribution. The initial release of extracts from the cables last November happened in conjunction with five international media partners: The Guardian, The New York Times, El Pais, Der Spiegel and Le Monde. The “partners” worked with the whistle-blowing site to publish carefully selected and redacted excerpts from the cables.

WikiLeaks has since fallen out with the The New York Times and The Guardian. Relations between the whistle-blowers and the Graun first began to sour after the liberal paper began investigating details of the sexual assault allegations against founder Julian Assange™, which remain the subject of Swedish extradition proceedings. The relationship, already on shaky ground, went further downhill after Guardian investigative hack David Leigh published the secret passphrase to a raw cablegate archive in his book on the whistle-blowing site. It was this archive that subsequently made its way onto the torrents and then other locations on the internet, meaning that anyone who could find it could read it.

The problem was known about for months but only received mainstream attention following reports in German news magazines last week. WikiLeaks responded to the now public problem by threatening legal action against The Guardian for negligence. The paper stated that it had been told the PGP passphrase only allowed temporary access to a encrypted copy of the files on a secret (soon to be deleted) directory of the WikiLeaks site, a contention WikiLeaks argues demonstrates technical ineptitude on the part of the paper.

“It is false that the passphrase was temporary or was ever described as such. That is not how PGP files work. Ask any expert,” said the leaker organisation. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/02/wikileaks_releases_raw_cablegate_archive/

British police have arrested two men as part of a continuing investigation with the FBI into computer attacks carried out under the flags of the Anonymous and Lulz Security hacking crews.

The men, aged 20 and 24, were arrested on Thursday in Mexborough, near Doncaster, South Yorkshire, and Warminster, Wiltshire, under suspicion of committing offenses under the Computer Misuse Act, an article published on Friday in The Guardian reported. The men were arrested separately, and computer equipment from a Doncaster address was confiscated for forensic examination.

“The arrests relate to our inquiries into a series of serious computer intrusions and online denial-of-service attacks recently suffered by a number of multi-national companies, public institutions and government and law enforcement agencies in Great Britain and the United States,” said Detective Inspector Mark Raymond from the Metropolitan Police’s Central e-Crime Unit, according to a separate article from the Associated Press.

Over the past 18 months, people claiming affiliation with Anonymous and the splinter group Lulz Security have take responsibility for breaching the security of Sony, the CIA, Britain’s Serious Organized Crime Agency and multiple US law enforcement groups. The attacks continued Thursday with the reported leak of internal email and documents from 28 Texas police chiefs.

Thursday’s arrests came the same day Scotland Yard charged two men with attacks also attributed to Anonymous. Christopher Weatherhead, 20, of Northampton, and Ashley Rhodes, 26, of Kennington, south London, were charged with conspiracy to carry out an unauthorized act in relation to a computer. They are scheduled to in Westminster Magistrates’ Court on September 7.

Two other suspects, including 22-year-old Peter David Gibson and a 17-year-old from Chester, have already been charged in the case, which relates to denial-of-service attacks on PayPal, Amazon, MasterCard, Bank of America, and Visa in December.

The arrests are part of a trans-Atlantic crackdown on Anonymous following an 18-month hacking spree by the loosely organized griefer group. In the past few months, dozens of people in North America and Europe have been snared in the probe, including 14 people in the US and five in the UK and the Netherlands. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/02/uk_anonymous_suspects_arrested/

Comment One of the unanswered questions arising from the August riots is whether the government needs new powers to block the use of Twitter, Facebook and other social media which were used to organise the disturbances.

Prime Minister David Cameron suggested, in the immediate aftermath of the rioting, that blocking the use of social networking communications was a policy option that was to be urgently discussed with telecommunications operators (and then implemented as a priority).

So when the Home Office says (as it has done) that no new powers are needed, then it follows that either no new powers are needed (ie, the government already has the power to block social networking communications) or the politicians have quietly gone off the idea (and have decided not to say so).

Hack the RIPA

Assuming it is not the latter, one’s first instinct is to look at the Regulation of Investigatory Powers Act (RIPA) as the source of any power to block communications. This Act states (in section 8 of RIPA) that to lawfully authorise interception, a signed warrant from the Home Secretary is required and that this warrant has to “name or describe either:

Clearly “the one person” description in paragraph (a) can’t work if there are hundreds of unknown individuals engaged in a riot, while the limitation to “a single set of premises” of paragraph (b) was not really intended to be stretched to lawfully describe something like “all premises in N17” (the post code of the Tottenham area).

Also, RIPA uses the word “interception”. So do provisions to allow the authorities to intercept and study the content of communications between the “bad guys” (the intent behind RIPA) extend to the “blocking” of all communications to thousands of individuals (ie, including the “good guys”) where the content of the communications is not studied at all? I am not sure it does.

For these reasons, I do not think that RIPA as currently constructed can be reliably used in riot situations as a lawful basis that blocks communications in the area of a riot. So where are the powers to block?

Uncivil disobedience

If I was having a bet, I think ministers might be considering the powers in the Civil Contingencies Act 2004. This is because the definition of an “emergency” – which is required to trigger use of the Act’s draconian powers – clearly includes a riot, as a riot could cause “serious damage” to human welfare, to property and threaten lives.

Additionally, where the issue is “urgent”, then the Civil Contingencies Act’s powers can be exercised by ministers without resort to Parliament. Although “urgency” is understandable in times of a crisis, these urgency provisions also minimise Parliamentary scrutiny of their use at the critical time that the powers are exercised.

One issue that is unresolved is whether “rioting” can be given a “national security” label. For example, section 94 of the Telecommunications Act 1984 allows the Secretary of State to “give to that person” (eg, a telecommunications operator) “such directions of a general character as appear to the Secretary of State to be necessary in the interests of national security”.

However, as public utterances of ministers have always addressed the August riots in terms of “criminality”, then I suggest that “national security” powers really cannot be used to justify blocking of networking sites. If national security powers were to be used, then this would be wholly at odds with all the current political discourse.

Politicians want to keep a finger on the mute button

Other powers are in Part III of the Police Act 1997; this allows the police to interfere with “wireless telegraphy” if interference is authorised by a chief constable. However, if chief constables have the power, then this would exclude the politicians, who in the August riots clearly wanted to manage the police’s response to the riots. The Civil Contingencies Act, by contrast, avoids this problem; it gives the authorising powers to ministers and not the police – another reason why I think that the powers in this Act are preferred.

When emergency powers are used individual rights are often in their greatest peril of disappearing

All sorts of complicated, practical issues would still remain. For instance, if you block communications in an area, you will be blocking communications for everybody. So if you block messages saying “let’s have a riot” you also block messages asking “Are you safe?”. Also, there are also difficulties about defining when rioting is taking place and when the powers are used. For instance, what is the difference between “a riot” and Friday-night pub-chucking-out time in some of our city centres? Not much, I would argue.

In summary, the “riots” have thrown up all the age-old questions in the context of mass interference to communications systems used by every citizen. Do such powers exist already? When are they used? Who should exercise these powers? What are the checks and balances in relation to the exercise of these powers?

These important questions need an answer from our political masters. One can’t have the “riots” being used to justify the building a system of extensive blocking of ALL communications without equal thought being given to the building of a reliable counter-balance that protects from the misuse of those powers.

This is especially the case if the powers of the Civil Contingencies Act 2004 are being contemplated as the vehicle to make such blocking lawful. After all, history tells us that it is in a time when emergency powers are used, that individual rights are often in their greatest peril of disappearing.

References: To understand the issues associated with the Civil Contingencies Act, see Liberty’s briefing on the second reading of the Bill, first published in 2004.

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/02/which_law_legitimises_the_blocking_of_communications/

A Twitter user who claims affiliation to the infamous Anonymous hacktivist collective has claimed responsibility for launching denial of service attacks that floored WikiLeaks on Tuesday night.

The attack against the whistle-blowing site occurred at the same time as less high-profile assaults against Pastebin and 4Chan, the anarchic image board and birthplace of Anonymous.

The assaults were reportedly field trials for a new JavaScript-based DDoS tool, dubbed RefRef, designed to exploit SQL server flaws on targeted websites. RefRef is the successor to the notorious LOIC attack tool, which discloses users’ IP address by default, as many arrested hacktivists now know only too well.

Anonymous began with attacks against the Church of Scientology three years ago, but only gained mainstream fame when it launched denial of service attacks in support of WikiLeaks and against financial service firms that shut down accounts maintained by the whistle-blowing websites.

A Twitter account (@AnonCMD) linked to an Anonymous activist refers to a “personal vendetta against WikiLeaks” adding that “we are sorry we took you down. We are even”.

An update to the account indicates that the dispute is over money supposedly owed by Julian Assange. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/01/anon_wikileaks_takedown_claim/

Hackers reckon they have come up with a way to circumvent the security of Xbox 360 gaming consoles via an attack that allows them to inject unsigned code into the heart of the system.

The so-called Reset Glitch Hack, developed by hackers GliGli and Tyros, creates a means to load code into a console’s CPU. This makes it more sophisticated than previous approaches, some of which relied on bugs within gaming software.

The hack relies on slowing the CPU during the boot-up sequence, using an “externally accessible HANA chip bus (I2C) to overwrite the divider registers in the clock generator”, as H Security explains. With the clock sequence slowed down it becomes possible to inject a reset pulse that both resets the clock speed and injects code of the hackers’ choosing into memory. The approach is less than elegant but, given a bit of luck (the exploit is only successful 25 per cent of the time), the hacking duo showed it was possible to smuggle their own customised bootloader onto the system.

The hack works by essentially destabilising the console in order to trick it into believing the hackers’ code is hashed and signed.

In a demonstration video, the hackers launched a Linux loader and Nintendo 64 (N64) emulator. The approach works regardless of firmware version. Both the new slim console and some previous versions of XBox 360 console (Jasper) are potentially vulnerable. Earlier versions of XBox 360 (Xenon, Falcon) are not. Microsoft may have its work cut out in blocking the hack because a simple software update would not be enough to block the exploit, according to the hackers.

The hackers stated that the hack had only been developed for the purposes of running homebrew code, and not for gaming piracy or similar malfeasance.

More details on the hack can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/01/xbox_reset_glitch_hack/

The Rugby World Cup has hit a security snag just over a week before the eagerly awaited tournament kicks off in New Zealand.

Media partners logging into the dedicated media centre system were confronted with the profiles of other journalists instead. Sysadmins are trying to get to the bottom of the problem, in the meantime they are advising journos to reload the web page if they hit the problem, as explained in a notice (issued on Thursday) below.

RWC MEDIA ALERT

RWC 2011 Media Centre – login issue

A few people have experienced issues when logging on to the RWC 2011 Media Centre.

Specifically, some people are seeing someone else’s profile after they enter their temporary password and go to the ‘My profile’ page.

If you experience this issue, please can you try refreshing the web page until you see your details?

If this does not work, please email [email protected]. We will get back to you as soon as we can.

We are working to resolve this issue and apologise for the inconvenience caused.

RWC 2011 Media Centre

The issue illustrates the teething problems that arise when you set up a system from scratch. Practical problems arising from the glitch are hard to gauge but its probably not the best idea if Australian media, for example, get wind of Kiwi TV broadcast plans. ®

Bootnote

Thanks to broadcast contractor Pete for the heads-up on the problem.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/01/rwc_login_glitch/

Wikileaks has accused a Guardian journalist of negligently publishing the passphrase for a database of unredacted secret US diplomatic cables in a book. The encrypted database is available on BitTorrent.

The book by David Leigh, Inside Julian Assange’s War on Secrecy, contains an excerpt explaining how he persuaded Julian Assange™ to give him the PGP passphrase, named as ACollectionOfDiplomaticHistory_Since_1966_ToThe_PresentDay#.

Armed with the passphrase, interested parties possessing the relevant encrypted database can see copies of the controversial documents. The material includes raw copies of more than 100,000 classified US diplomatic cables.

WikiLeaks published carefully redacted and selected samples of the US diplomatic cables starting last November. Details pointing to the identity of informants or naming agents contained in the raw Cablegate archive were removed. After months in hiatus the whistleblowing site began publishing further cables at a greatly increased rate last week.

The passphrase disclosure problem must have been known about for months but only became public after German magazines highlighted the issue recently.

WikiLeaks, which has remained silent on the issue in order to avoid drawing attention to the presence of the passphrase in The Guardian book, said that it has “spoken to the State Department and commenced pre-litigation action” against The Guardian. It accused the paper of an “act of gross negligence or malice”.

In a story about the availability of the unredacted cables, The Guardian said it was told it was supplied with a “temporary password which would expire and be deleted in a matter of hours.”

The paper goes on to say:

The embassy cables were shared with the Guardian through a secure server for a period of hours, after which the server was taken offline and all files removed, as was previously agreed by both parties. This is considered a basic security precaution when handling sensitive files. But unknown to anyone at the Guardian, the same file with the same password was republished later on BitTorrent, a network typically used to distribute films and music. This file’s contents were never publicised, nor was it linked online to WikiLeaks in any way.

The Guardian adds that WikiLeaks has not previously objected to Leigh’s book, which was published back in February. “No concerns were expressed when the book was published and if anyone at WikiLeaks had thought this compromised security they have had seven months to remove the files,” stated the paper.¹

Once one of five trusted international media partners, the Guardian and Assange™ had fallen out spectacularly even before the publication of Leigh’s book, mainly over early Guardian stories on the sex allegations against Assange™ in Sweden that remain the subject of ongoing extradition proceedings.

Last year a former WikiLeaks volunteer gave access to the database to a freelance reporter, Heather Brooke, without the permission of Assange™. So this latest incident is not the first time WikiLeaks has lost control of its unredacted Cablegate database. The difference this time around is that anyone – potentially intelligence agencies within oppressive regimes that are hostile to the US, and not just a few hacks – will be able to obtain raw copies of the sensitive diplomatic diplomatic cables. ®

Bootnote

¹Removing or changing the location of the cables file on the Wikileaks site would have had no effect once the database was on the torrents.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/01/cablegate_leak_row/