STE WILLIAMS

Better ATM skimming through thermal imaging

Security researchers have found that thermal cameras can be combined with computer algorithms to automate the process of stealing payment card data processed by automatic teller machines.

At the Usenix Security Symposium in San Francisco last week, the researchers said the technique has advantages over more common ATM skimming methods that use traditional cameras to capture the PINs people enter during transactions. That’s because customers often obscure a camera’s view with their bodies, either inadvertently or on purpose. What’s more, it can take a considerable amount of time for crooks to view the captured footage and log the code entered during each session.

Thermal imaging can vastly improve the process by recovering the code for some time after each PIN is entered. Their output can also be processed by an algorithm that automates the process of translating it into the secret code.

The findings expand on 2005 research from Michal Zalewski, who is now a member of Google’s security team. The Usenix presenters tested the technique laid out by Zalewski on 21 subjects who used 27 randomly selected PINs and found the rate of success varied depending on variables including the types of keypads and the subjects’ body temperature.

“In summary, while we document that post-hoc thermal imaging attacks are feasible and automatable, we also find that the window of vulnerability is far more modest than some feared and that there are simple counter-measures (i.e., deploying keypads with high thermal conductivity) that can shrink this vulnerability further still,” the researchers wrote.

A PDF of their paper, which is titled Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks, is here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/18/thermal_imaging_atm_fraud/

Hackers breach website for SF transit agency police

Hackers breached the website belonging to a police union and posted sensitive personal information for more than 100 officers who work for a San Francisco regional transit authority.

The breach of bartpoa.com was the second time in less than a week that websites affiliated with Bay Area Rapid Transit have been targeted by hackers. Over the weekend, people claiming to be members of the Anonymous hacking collective said they were protesting BART by publishing personal information for more than 2,000 passengers who had nothing to do with the agency’s management.

People claiming to be members of Anonymous took credit for the attack that exposed passenger data. It was less clear what role the group had in Wednesday’s breach.

“The leak today of BART officer data could be the work sanctioned by those who truly support anonymous, or agent provocateurs,” a tweet from AnonyOps said. “Stay skeptical.”

A later dispatch on the microblogging site said: “People who are against anonymous know they can do things under the name ‘anonymous’ and never be questioned. This is anonymous, defined.”

A posting on Pastebin.com listed the names, home and email addresses and site passwords of 102 BART police officers. At time of writing, bartpoa.com was inaccessible.

It’s unclear exactly how the hackers compromised the police officer data.

The hackers in the earlier attack claimed to access the passenger information by exploiting a rudimentary security flaw in MyBart.org, which is owned by BART. BART officials have declined to say whether the site was ever reviewed by outside security auditors.

The attacks follow a controversial move to disable cellular service in at least four San Francisco BART stations last week. BART management took that action to disrupt a planned demonstration that protesters were organizing online. BART officials said its decision to turn off the nodes that connected carriers to underground antennas was legal and necessary to prevent unsafe conditions in confined spaces. Critics have compared the move to those taken by former Egyptian President Hosni Mubarak to quash protests against his rule.

The BART demonstrations were protesting the fatal shooting by BART police in July of a homeless man who allegedly brandished a knife as he lunged at officers. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/17/new_bart_hack_attack/

Android app logs keystrokes using phone movements

Computer scientists have developed an Android app that logs keystrokes using a smartphone’s sensors to measure the locations a user taps on the touch screen.

TouchLogger, as their demo app is dubbed, allowed its creators at the University of California at Davis to demonstrate a vulnerability in smartphones and tablets that has largely gone unnoticed: While most of these devices lack physical keyboards that have long been known to leak user input, they nonetheless remain susceptible to monitoring through similar side-channel attacks.

Whereas eavesdroppers measure sound and electromagnetic emanation to capture input from traditional keyboards, they can monitor the motion of the device to achieve much the same result from a touch screen.

“Our insight is that motion sensors, such as accelerometers and gyroscopes, may be used to infer keystrokes,” the researchers wrote in a paper (PDF here) presented last week at the HotSec’11 workshop in San Francisco. “When the user types on the soft keyboard on her smartphone (especially when she holds her phone by hand rather than placing it on a fixed surface), the phone vibrates. We discover that keystroke vibration on touch screens are highly correlated to the keys being typed.”

Screen shot of Android data collecting app

User interface for data collection app

Applications like TouchLogger could be significant because they bypasses protections built into both Android and Apple’s competing iOS that prevent a program from reading keystrokes unless it’s active and receives focus from the screen. It was designed to work on an HTC Evo 4G smartphone. It had an accuracy rate of more than 70 percent of the input typed into the number-only soft keyboard of the device. The app worked by using the phone’s accelerometer to gauge the motion of the device each time a soft key was pressed.

With minor refinements, the researchers believe they can expand the effectiveness of TouchLogger, as well as the devices it will work on.

“The tablet has a larger screen, so hopefully we can get a higher accuracy rate on a qwerty keyboard,” said Liang Cai, a graduate student in UC Davis’s computer science department who collaborated with his advisor Hao Chen. “We didn’t really try it on a large scale of devices.”

Besides targeting devices with larger touch screens, the researchers said TouchLogger could also be improved by tapping other sensors built into the targeted device. Prime candidates include gyroscopes to measure the rate of rotation and a camera to further detect motion. The scientists noted that the W3C recently published a specification for web applications to access accelerometer and gyroscope sensors using JavaScript. They are in the process of extending their work into a full research project.

For now, they hope to get the word out that the motion detected by a smart device’s own sensors could expose highly valuable information, including passwords, social security numbers and credit card numbers.

“We hope to raise the awareness of motion as a significant side channel that may leak confidential data,” they wrote. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/17/android_key_logger/

Dog fight game bitten with pro-PETA virus

Scotland Yard Four cleared – on phone

Erstwhile Met Police commissioner Sir Paul Stephenson and his one-time colleagues – John Yates, Andy Hayman and Peter Clarke – have all been cleared of misconduct during an inquiry by the cop watchdog into the phone-hacking scandal at News International.

The Independent Police Complaints Commission concluded that Stephenson, who resigned last month, had not committed any offence.

He walked from his job in July while insisting that his “integrity” was intact. Stephenson said at the time that he was stepping down due to the “excessive distraction” his presence at the helm was causing to the effective running of Britain’s largest police force.

“I… considered whether the public interest requires any other matter to be investigated by the IPCC, including Sir Paul’s acceptance of hospitality from a family friend at Champneys Medical, unconnected to his professional life, while he was on sick leave,” said IPCC deputy chair Deborah Glass in a statement issued this lunchtime.

The health spa was promoted by PR firm Outside Organisation, whose managing director was Neil Wallis – the former deputy editor of the News of the World.

Wallis was arrested on 14 July by Met police investigating alleged phone-hacking at the now-defunct Sunday tabloid.

“The public will make its own judgments about whether any senior public official should accept hospitality to this extent from anyone – or indeed about a policy which regards hospitality as acceptable merely because it is disclosed,” said Glass.

“But whether or not the acceptance of hospitality amounts to recordable conduct, I do not consider that it is necessary to investigate it further. Sir Paul Stephenson has given a public account of his actions and of course, has resigned.”

Scotland Yard’s assistant commissioner John Yates also quit his job at the Met last month, as revelations in the phone-tapping saga at News International, which is owned by Rupert Murdoch’s News Corp, continued to unravel.

Glass said today that given Yates had been questioned in six separate parliamentary grillings over his involvement in phone hacking, the IPCC could not see what any further probe would achieve.

“We would agree that he made a poor decision in 2009,” she said.

Last month, Yates told MPs that he regretted not re-opening the Met’s original investigation into phone-hacking claims in 2009.

“I felt the evidence had been followed,” he said at the time.

Yates, who stood down from his position on 18 July, spent one day in 2009 looking at the initial investigation into phone-hacking, but concluded that there was nothing worth pursuing further.

“He himself has acknowledged that, given what is now known, he made a poor decision for which he has now taken responsibility. Had no new investigation into phone hacking begun this may well have been a recommendation, but the current investigation which started in January 2011 makes this unnecessary,” said Glass.

She said she had also found no reason to carry out any further investigation into the conduct of Peter Clarke, who led the original phone-hacking investigation at the Met, which at the time was handling around 70 live operations relating to terrorist plots.

Glass noted that the Met’s ex-deputy commissioner Andy Hayman’s conduct had not been referred to the IPCC by the Metropolitan Police Authority.

“[H]is social contacts with News International and subsequent employment by the Times [which is owned by News International] have been criticised,” she said.

“While there are serious issues that need to be scrutinised about the extent of contact between senior police officers and the media – and particularly around hospitality – in the absence of any actual evidence of impropriety these are, in my view, for the inquiry to explore,” said Glass.

An independent inquiry has been launched by the police watchdog into claims that Yates had secured a job at the Met for the daughter of Neil Wallis.

The former Murdoch man’s Chamy Media company’s contract with Scotland Yard – offering up PR services to England’s largest police force between October 2009 and September 2010 – is also being investigated by the IPCC, said Glass.

The Commission is separately probing alleged police corruption linked to the phone-hacking scandal, which the Met is investigating as part of Operation Weeting.

“Should any further evidence emerge, through our investigations or from the Leveson Inquiry, of any impropriety by an officer, retired or otherwise of any rank, I would expect it to be recorded by the appropriate authority and referred to the IPCC,” Glass added.

“On this basis I will keep all of these decisions under review as the inquiry progresses.”

Yates said in a statement via the Met that he was “pleased” that the IPCC was no longer investigating him in relation to any involvement in the phone-tapping issues that had been flagged by the MPA.

“I am disappointed with the IPCC’s decision to investigate my peripheral involvement in recruitment process of Neil Wallis’s daughter,” said Yates.

“I strongly deny any wrongdoing and I am completely confident that I will be exonerated.

“I have been entirely open about this matter and I will cooperate fully with the investigation which I hope will be conducted swiftly,” he added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/17/ipcc_clears_met_cops_over_phone_hacking_misconduct_claims/

German tap-to-pay telco allies don’t need no stinkin’ banks

The German arms of Telefonica and Vodafone, along with Deutsche Telekom, have signed an agreement to take their virtual mpass payment platform physical, without the help of the banks.

The letter of intent, signed by all three companies, states that the mpass system will be set up as a jointly-owned-but-independent company handling payments made by customers of any of the network operators, and without having to pass on a cut to the existing payment processors.

That is in contrast to the rest of the world where mobile operators have been busy conceding the mobile-payments business to the existing providers (Visa, Mastercard and their ilk).

In the USA ISIS was set up to provide a similar mechanism, but has now scaled back plans to welcome in the existing players, while the UK operators have been busy creating a standardised advertising platform so that they can make money from NFC without having to worry about slicing the mobile-payment cake too thinly.

But German operators reckon they can do it, even if it means distributing new point-of-sale equipment to shops and, as NFC Times points out, delaying previously-scheduled launches of independent offerings:

“[Q]ueues at the supermarket will soon be a thing of the past,” says Deutsche Telekom’s ebullient Director of Marketing, espousing the benefits of pay-by-tap.

Mpass already operates in Germany, allowing payments authorised by SMS, and was even available (briefly) in the UK a decade or so ago, but despite its longevity it hasn’t proved very popular. Getting new terminals into every shop in the country will increase the visibility of the brand, but it is the cost of doing just that which has put off operators in so many other countries. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/17/german_nfc_mpass/

UK man faces five charges for repeated Facebook hacks

A 25-year-old UK man has been charged with five counts of illegal hacking for repeatedly penetrating the security defenses of Facebook.

Glenn Steven Mangham of York was accused of engaging in a hacking spree against Facebook earlier this year. From April 27 to May 9, he allegedly targeted at least three different services used by the social network. According to The Telegraph, the services included a Facebook “puzzle server,” a “mailman” server and a restricted part of a “Facebook Phabricator server.”

Mangham appeared briefly in Westminster magistrates’ court on Wednesday and was released on bail. Judge Nicholas Evans ordered the defendant not to use the internet and to surrender his iPhone and any other devices capable of accessing the net while the case is pending.

Details of the alleged security breach were sketchy. The Telegraph said Mangham “repeatedly hacked into a Facebook ‘puzzle server’ using software he had downloaded.” The report went on to say Mangham “allegedly knew that doing so could disrupt its operation.” The mailman server he allegedly targeted may have been used to to run internal and external email distribution lists.

Mangham is accused of having “a special software script to hack into the Phabricator server.” The Facebook Phabricator is a collection of open-source applications for the site.

Users’ personal data wasn’t compromised in the hacks, a Facebook spokesman said. Mangham is scheduled to reappear in court next month for a committal hearing. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/18/facebook_hacking_suspect/

Free Ride: Disney, Fela Kuti and Google’s war on copyright

Interview Wars over creators’ rights are pretty old – much older than copyright law. In one of the first “copyfights”, in 561AD, about 3,000 people died, writes Robert Levine in his new book Free Ride. St Colmcille and St Finnian clashed over the right to make copies of the Bible, with the King castigating Colmcille for his “fancy new ideas about people’s property”.

Levine’s book is a story of the digital copyright wars …

“I tried to write in an analytical way about something people get very emotional about. I don’t really believe the entertainment industry is good and the technology industry is bad; I just don’t see it as a morality issue. Businesses are in business to make money,” Levine says.

The book details the calamitous decisions made by the music business, particularly in its suing of end users for infringement. “In a few years,” he writes, “the major labels managed to destroy the cultural cachet they had spent decades building.”

The book also follows in detail Google’s “war on copyright” and the academics and activists who benefit from it. It comprehensively demolishes the arguments put by Lawrence Lessig, who helped create the cyberlaw industry. This is a book with masses of solid, meticulously researched detail.

I caught up with Levine in Berlin.

Q: What do you see as the culture industries’ biggest mistakes? You focus a lot on music …

Levine: The music industry made a lot of mistakes. They could have launched an iTunes store. And suing individuals was a mistake. I don’t think there’s anything wrong with companies suing companies: Napster, or Grokster for example. But suing people created publicity so bad that it made it very hard to get a legislative solution. It was a complete disaster.

But you have to remember that there’s a lot of things that aren’t legally or financially practical for an incumbent to do. You have a game theory-type problem: the establishment player has a lot to lose and has to play by the rules. A startup doesn’t have to.

‘The culture business is one that generates jobs that are pretty good, and doesn’t create a lot of pollution, compared to BP’

People say they should have worked with Napster. But the labels would have been trading quarters for dimes, and they didn’t even know those dimes would be worth 10 cents. It assumes Napster would have worked out as a business.

I also think labels should have cut CD prices faster. But did you know Universal Music cut CD prices 25 per cent in 2002, and sold 13 per cent more CDs. You lose money that way; we’ve seen that again and again. We’ve seen iTunes raise the price of the best-selling songs from 99 cents to £1.20 and make more money. People aren’t price-sensitive as much as they’re convenience-sensitive. They want it when they want it.

The record companies should have done something like Hulu. I gather there were antitrust issues. Hulu does a good job, and it also helps TV companies control things a little bit. Hulu also makes money. The labels together could have done something pretty well.

Q: And DRM?

Levine: A lot of people say DRM was huge problem. But when EMI eliminated it, it didn’t create a huge boost in sales. People hate DRM in that it won’t let them do what they want, but very few people are against it on principle. I haven’t seen any evidence that people care. Sales don’t respond to DRM policy.

People want something easy to use and iTunes is easy to use. Convenience is what iTunes delivers.

It’s all about markets

Q: Your argument is really to get money flowing to the creators online.

Levine: We’ve had a market for IP for at least 300 years. I think it works pretty well. If you compare the cultural output of countries with a market for IP and those without, it’s clear that a market gives you better IP on an economic level, and possibly on a cultural level too.

If you look at West Germany, they produced Herzog, Fassbinder, Can, Neu! and Krautrock. In East Germany they produced, well, maybe some good TV shows, but not ones they could export.

Or if you look at Nigeria and Brazil, they’re countries that in the 1960s and 1970s had great pop music that changed the world. In Brazil, you had Tropicalia, Gilberto Gil and Os Mutantes; people still buy those records today. in Nigeria, you had Fela Kuti, who is still as iconic as he ever was. This generated money sent back to Brazil and Nigeria. Now people are still making the music but not a lot of money is going back. And those countries could use the money. The culture business is one that generates jobs that are pretty good, and doesn’t create a lot of pollution, compared to BP.

If the culture business disappears, then culture is not going to disappear. I use the example of The Beatles without George Martin: they would have continued to be great songwriters, and we’d have the songs, but they wouldn’t have made great albums.

You can’t have an economy without a market. You can’t have a market without property rights, and you can’t have property rights without a means of enforcing those rights. Copyright has some aspects of property, and one of these is you can’t sell something if somebody else is giving it away.

Next page: Google and the academics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/18/robert_levine_freeride_interview/

Outsourcer says rivals faked stolen database offer

eBay-style outsourcing site PeoplePerHour says a rival firm faked emails which claimed to be offering the company’s customer database for sale.

The company initially feared that a disgruntled ex-contractor had swiped customer records and was offering them for sale to rival companies. The rivals declined the offer and tipped off PeoplePerHour.

Company founder Xenios Thrasyvoulou said: “We have now looked extensively into the matter, including getting the headers of the initial email that was sent to our competitors informing them that they have a database and contacting this supposed fraudster in India. We also got access to the email account via Google as we filed a fraud complaint with them.”

He said the email headers showed that the email could not have been sent from India where the contractor is supposedly based. Additionally the fake mails used an actual contractor’s name, but added a digit at the end.

Thrasyvoulou said: “So: all the evidence shows that someone (probably an envious competitor) got the name of a former contractor (which is very easy to get from places like LinkedIn etc), created a Gmail account in their name with a slightly different suffix and sent this out to competitors and the press. Its a lame attempt to hurt us.”

The company is confident no customer data was compromised.

The site is one of several offering “bid for a contractor” services to small businesses but we had no idea competition in this market was so cut-throat. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/18/peopleperhour_denies_leak/

Op Weeting plods cuff 13th hack in phone-hack probe

The Metropolitan police have arrested another man as part of its ongoing investigation into alleged phone-hacking at axed Sunday tabloid News of the World.

“On Thursday, 18 August, officers from Operation Weeting arrested a man [H], aged 38, on suspicion of conspiring to unlawfully intercept voicemails contrary to section 1(1) Criminal Law Act 1977,” said Scotland Yard in a brief statement this morning.

The unnamed man was cuffed by appointment at a London police station, where he remains in custody.

This arrest brings the total number of people allegedly associated with the NotW phone-hacking scandal to 13.

A Guardian report suggest that James Desborough, who joined the tabloid as a showbiz reporter in 2005 before being promoted to Hollywood editor in 2009, is the man currently being quizzed by police. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/18/police_arrest_man_operation_weeting/