Hacking and Anonymous surfing

The Downing Street communications chief Andy Coulson is under renewed pressure as it was announced that MPs will hold an emergency Commons debate about newspaper phone hacking tomorrow.

Nick Clegg, the deputy prime minster, gave only qualified backing to Coulson at prime minister’s questions today as Labour strived to keep the affair at the top of the political agenda.

As the Speaker, John Bercow, said he would grant a debate on phone hacking, Clegg refused to say whether he believed Coulson’s insistence that he did not know about the illegal practices that took place when he was editor of the News of the World. Taking prime minster’s questions in the absence of David Cameron, who flew to France to be with his ill father today, Clegg warned Labour not to “second guess” police inquiries into fresh allegations surrounding Cameron’s press chief.

The VMware ESX hypervisor could let IT staff steal sensitive data by abusing administrative access, particularly if customers fail to implement role-based access controls, the security vendor BeyondTrust argued last week at VMworld.

IT staff with root access to VMware ESX can steal virtual machine disk files and then erase log files and other traces of the illicit activity by manipulating the service console, a Linux-based instance that manages the VMware hypervisor, BeyondTrust says. This could make it easy to steal medical records, financial data, or any other files tied to virtual machines, says Jordan Bean, principal systems engineer for BeyondTrust. Bean provided a demonstration of this type of attack on the VMworld conference exposition floor.

But in response, VMware noted that root access to any sort of IT product could let users do malicious things. VMware doesn’t have built-in access controls for the service console, but does offer a recommended set of best practices to enable role-based access controls and has partnered with third parties – including BeyondTrust – to track and manage access into virtualized environments.

The United States has a responsibility to take a leadership role in securing the Internet against both internal and external attackers, a duty that the federal government takes very seriously, the country’s top military cybersecurity official said Tuesday. However, Gen. Keith Alexander, director of the National Security Agency and commander of the U.S. Cyber Command, provided virtually nothing in the way of details of how the government intends to accomplish this rather daunting task.

In a speech at the Gov 2.0 Summit here, Alexander said that it is incumbent upon the U.S. government to play a major role in making both the public Internet and private, classified networks more secure and resilient to attack. He expressed confidence that the country’s information security apparatus was up to the task, but acknowledged the difficulty of securing the Internet, a network that many security experts see as hopelessly broken and flawed by design.

“We made the Internet and it seems to me that we ought to be the first folks to get out there and protect it,” Alexander said. “The challenge before us is large and daunting. But we have an obligation to meet it head-on.”

This morning news is coming in which indicates that very significant raids against illicit file-sharing are taking place in locations across Europe.

Police in up to 14 European countries are said to be involved in an operation, said to be in the planning for two years, targeting the Warez Scene, the network of individuals and servers at the top of the so-called ‘Piracy Pyramid’.

Details are scarce at the moment, but it is believed that at the behest of Belgian authorities, raids have gone ahead in The Netherlands, Belgium, Norway, Germany, Great Britain, Czech Republic, Hungary and Sweden. Not unusually, Sweden appears to have borne the brunt of the activity with a total of seven locations raided including Stockholm, Malmö, Umeå, Eskilstuna and Solna.

If a forged certificate is accepted when accessing the Flash Player’s Settings Manager, which is available exclusively online, attackers can potentially manipulate the player’s website privacy settings. This allows a web page to access a computer’s web cams and microphones and remotely turn the computer into a covert listening device or surveillance camera.

At the “Meta Rhein Main Chaos Days 111b” (German language link), Fraunhofer SIT employee Alexander Klink presented a scenario in which he used a man-in-the-middle attack (MiTM) to intercept the communication with Adobe’s Settings Manager. The Settings Manager itself is a simple Flash applet, and the Adobe pages load it into the browser as an SWF file via HTTPS – a fixed link to it is encoded into the browser.

However, the MiTM attack allows attackers to inject a specially crafted applet which, to put it simply, manipulates the Flash cookies (Local Shared Objects, LSOs) on the victim’s computer in such a way that the computer’s web cam and microphone become accessible to arbitrary domains – by default, no domain has access to these components. This, in turn, allows images and audio to be transmitted to the attacker’s server via RTMP streaming.

I attended VM World last week, and as you might imagine, it was “cloud computing” this and “cloud computing” that the whole time. The hype factor for the cloud is in overdrive right now. But is it warranted? A lot of people, even tech-oriented ones, outside of the data center sysadmin types, wonder what all the hype is about. I’ve come to believe that cloud computing is major computing revolution, but for most computing users, it’s an invisible one.

Geek ambivalence about cloud computing is interesting, because it’s not like it’s a new phenomenon. In tech years, the idea has been around for ages. But part of the problem is that the actual definition of cloud computing isn’t really all that easy to pin down. And marketers have been fond of talking about things being cloud computing when it’s really only peripheral, and it’s really a shameless ploy to capitalize on a hot trend. But in a nutshell, here’s what I think is the essence of the cloud computing concept.

If you’ve taken advantage of the recent PS3 hack and want to carry on using it then you should avoid installing the new PS3 firmware update, v3.42.

The PS3 was finally hacked a few weeks ago when the PS Jailbreak went on sale via several Australian distributors. The mod chip enabled games to play pirated games and back games up to their hard drive.

Sony managed to secure a ban on the sale of the USB dongles containing the hack, first temporarily and then permanently. But the source code had already been released for free on to the Internet via BitTorrent sites. PS Groove was born. Sony has now upped its game, with firmware update v3.42 reportedly blocking the PS3 hack. Sony hasn’t confirmed as much, simply stating that “this is an overall security-related issue.”

The war between security researchers (particularly from Google) and Microsoft is heating up, again, over an old bug in IE8 that was reportedly disclosed to Microsoft years ago. Once again, it seems like there aren’t any good guys looking out for the users. On Friday, Google security researcher Chris Evans, in a fit of frustration over what he said was Microsoft’s lack of action, posted a link to proof-of-concept code for the bug to the Full Disclosure mailing list.

This prompted Microsoft’s Security Response team to Tweet an acknowledgment of the hole on Friday. It said,”We’re aware of a publicly disclosed issue involving Internet Explorer. We’ll continue to investigate over the weekend.6:52 PM Sep 3rd via web.”

This Tweet prompted Computerworld’s Gregg Keizer to write a story today, “Microsoft investigates two-year-old IE bug.” This prompted Jason Miller, data and security team manager from security patch vendor Shavlik Technologies to send journalists such as me an e-mail this afternoon defending Microsoft and declaring that nothing is a zero-day until the vendor confirms that it is.

The Business Software Alliance has a bounty program that rewards software piracy whistleblowers. The latest beneficiary of BSA’s bounty program, which offers up to $1 million in reward money, is said to have received £10,000 ($15,300) for blowing the lid of his former employer’s use of unlicensed software. According to BSA, the tip helped it recover more than £100,000 (approx. $150,000) in damages from an unidentified media company.

“I was aware that the BSA offers a financial payment but I never expected this much money,” the whistleblower, only identified as a Microsoft certified IT Professional, was quoted as saying by the BSA. “This is definitely an extra motivation for other people like me, already frustrated by a management that thinks that they can get more with less.”

This news comes on the heels of BSA’s revelation that it settled with more than 1,000 companies in the first six months of 2010. It further said that these “settlements” helped it recoup £6.5 million in damages and licensing fees.

The curse of the unencrypted memory stick has stuck Manchester Police, which has suffered embarrassment as a drive containing apparently sensitive information was found lying in the street.

The unsecured data on the drive related to training information on coping with riots, violent suspects, and public disorder. According to the Daily Star, the red top newspaper to which the drive was handed in by a passer-by, some of the information has bearing on terrorism training, including blast control, firearms handling and strategies for dealing with petrol and bomb attacks.

Despite the newspaper describing the loss as ‘dumping terror secrets on to the streets, much of the contents are what would be expected of the Greater Manchester Police Police Training Unit (GMP POTU), whose markings were on the drive.