Facebook feeds beset with malware

24 November 2010 Last updated at 10:22 ET

One fifth of Facebook users are exposed to malware contained in their news feeds, claim security researchers.

Security firm BitDefender said it had detected infections contained in the news feeds of around 20% of Facebook users.

By clicking on infected links in a news feed, users risk having viruses installed on their computer.

Facebook said it already had steps in place to identify and remove malware-containing links.

BitDefender arrived at its figures by analysing data from 14,000 Facebook users that had installed a security app, called safego, it makes for the social network site.

In the month since safego launched, it has analysed 17 million Facebook posts, said BitDefender.

The majority of infections were associated with apps written by independent developers, which promised enticements and rewards to trick users into installing the malware, BitDefender said.

Trusted community

These apps would then either install malware used for spying on users or to send messages containing adverts to the users' contacts.

Facebook has a thriving community of independent developers who have built apps for the social network.

The vast majority enable users to tweak their Facebook pages, adding widgets, games or extra functions, such as delivering daily horoscope predictions.

Facebook said it had processes and checks in place to guard against the risk of malware.

"Once we detect a phony message, we delete all instances of that message across the site," the site said in a statement.

Crooks have targeted social networks, such as Facebook and Twitter because of their vast number of users, said Rik Ferguson, a security researcher for anti-virus maker Trend Micro.

"Because social networks are based on a community of people you trust, they're an attractive target for malware writers," said Ferguson. "You're more likely to click on a link from someone you trust."

Powered by WizardRSS | Best Membership Site Software

First fines for data act breaches

23 November 2010 Last updated at 20:12 ET

A county council that faxed details of a child sex abuse case to a member of the public is to be fined �100,000 for breaching the Data Protection Act.

Hertfordshire County Council is one of two bodies fined by the Information Commissioner - both have apologised.

Sheffield-based A4e was fined �60,000 for losing an unencrypted laptop with the details of thousands of people.

The commissioner said the fines - the first he has issued - would "send a strong message" to those handling data.

Commissioner Christopher Graham was granted the authority to serve financial penalties for data protection breaches in April of this year.

Hertfordshire County Council was fined after two incidents where two faxes containing highly sensitive personal information involving a child sex abuse case and care proceedings were sent to the wrong recipients.

Fax mistakes

The breaches occurred in June, when employees in the council's childcare litigation unit accidentally sent two faxes to the wrong recipients on two separate occasions. The council reported both breaches to the Information Commissioner's Office (ICO).

The first misdirected fax was meant for a barristers' chambers but was sent instead to a member of the public.

Continue reading the main story

"Start Quote

These first monetary penalties send a strong message to all organisations handling personal information - get it wrong and you do substantial harm to individuals and the reputation of your business"

End Quote Christopher Graham Information Commissioner

The council subsequently obtained a court injunction prohibiting any disclosure of the facts of the court case or circumstances of the data breach.

The second misdirected fax, sent 13 days later by another member of the council's childcare litigation unit, contained information relating to the care proceedings of three children, the previous convictions of two individuals, domestic violence records and care professionals' opinions on the cases.

The fax was intended for Watford County Court but was mistakenly sent to a barristers' chambers unconnected with the case.

The commissioner ruled that a penalty of �100,000 was appropriate, given that the council's procedures failed to stop two serious breaches taking place.

And after the first breach occurred, the council did not take sufficient steps to reduce the likelihood of another breach occurring, the ICO said.

Laptop theft

Mr Graham said: "It is difficult to imagine information more sensitive than that relating to a child sex abuse case. I am concerned at this breach - not least because the local authority allowed it to happen twice within two weeks."

A spokesman for Hertfordshire County Council said it accepted the commissioner's findings.

"We are sorry that these mistakes happened and have put processes in place to try and prevent any recurrence," he added.

The A4e data breach also occurred in June, after the company - a private sector company which provides information on employment and starting a business - issued an unencrypted laptop to an employee so they could work at home.

The computer contained personal information relating to 24,000 people who had used community legal advice centres in Hull and Leicester.

But it was later stolen from the employee's house and an unsuccessful attempt to access the data was made shortly afterwards.

Personal details recorded on the system included full names, dates of birth, postcodes, employment status, income level, information about alleged criminal activity and whether an individual had been a victim of violence.

A4e reported the incident to the ICO and the company subsequently notified the people whose data could have been accessed.

'Substantial harm'

The commissioner ruled that A4e did not take reasonable steps to avoid the loss of the data when it issued the employee with an unencrypted laptop, despite knowing the amount and type of data that would be on it.

Mr Graham said the theft of the laptop was "less shocking" than the council's security breaches.

But he said it "also warranted nothing less than a monetary penalty as thousands of people's privacy was potentially compromised by the company's failure to take the simple step of encrypting the data".

He added: "These first monetary penalties send a strong message to all organisations handling personal information - get it wrong and you do substantial harm to individuals and the reputation of your business. You could also be fined up to half a million pounds."

A4e chief executive Andrew Dutton said: "We acted very swiftly after the incident in June, including making a voluntary report to the ICO. We alerted all customers, partners and relevant authorities affected and continue to update them.

"This incident occurred as a result of a breach of our security procedures. It also came at a time when A4e was rolling out a new, robust, company-wide set of security controls and procedures.

"Our priority has always been, and remains, our customers and partners. We have apologised for any distress caused to those involved in this one-off incident in Hull and Leicester and we do so again."

Powered by WizardRSS | Best Membership Site Software

Iran denies nuclear virus damage

23 November 2010 Last updated at 06:54 ET

Iran has denied that the Stuxnet virus has caused any delays in its nuclear power programme.

It issued the denials following speculation from a former UN nuclear inspector that Stuxnet had managed to damage key equipment.

But Iran said it had caught Stuxnet before it managed to reach its intended target - controllers for centrifuges.

The country accused the West of trying to sabotage what it called its "peaceful" nuclear power plans.

The denial came from Iranian Vice President Ali Akbar Salehi who oversees the country's nuclear project.

"From more than a year ago, Westerners tried to implant the virus into our nuclear facilities in order to disrupt our activities but our young scientists stopped the virus at the very same spot they wanted to penetrate," he said in comments reported on an Iranian state television website.

Stuxnet is the first malicious program that targets key parts of industrial plants. Analysis by security firm Symantec suggest that Stuxnet was intended to wreck the centrifuges used to concentrate uranium - a key part of the nuclear power generation process.

Reports suggest that Iran has taken thousands of centrifuges offline in recent months and its nuclear programme is known to have suffered significant delays.

Speculation about whether this was caused by Stuxnet came earlier this week from two sources - an unnamed official from the UN's International Atomic Energy Agency and Olli Heinonen deputy director at the IAEA until August.

The anonymous official told AP that Western intelligence gathering suggested that Stuxnet had infected control systems in Iran's nuclear plants.

Mr Heinonen confirmed that Iran had experienced problems with centrifuges and said they could have been caused by technical problems or Stuxnet, but added that there was no proof that the worm was responsible.

Powered by WizardRSS | Best Membership Site Software

PC vaccine needed in botnet fight

23 November 2010 Last updated at 04:15 ET By Mark Ward Technology correspondent, BBC News

The equivalent of a government-backed vaccination scheme is needed to clean up the huge numbers of PCs hijacked by cyber criminals, suggests research.

In Europe, about 5-10% of PCs on broadband net links were hijacked and part of a botnet in 2009, it suggests.

ISPs are key to wresting control of these machines away from criminals, says the Dutch report.

Initiatives in Germany and Australia show how official help can boost efforts to clean up infected machines.

Home invasion

The survey of botnet numbers was carried out in an attempt to understand the scale of the problem and reveal the forces influencing how many PCs on a particular network are hijacked.

Botnets are typically networks of home computers that malicious hackers have managed to hijack by tricking their owners into opening a virus-laden e-mail or visiting a booby-trapped website.

They are then commonly used to pump out spam and attack websites.

It drew up its by analysing a pool of 170 million unique IP addresses culled from a spam trap that amassed more than 109 billion junk mail messages between 2005 and 2009.

With 80-90% of all spam being routed through hijacked PCs these IP addresses were a good guide to where infected machines were located, said Professor Michel Van Eeten from the Delft University of Technology who lead the OECD-backed research.

Analysis of this huge corpus of data showed that about 50 ISPs were harbouring around half of all infected machines worldwide. Confirmation of this finding came from other non-spam sources - the 169 million IP addresses that were part of the Conficker botnet and 130 million IP addresses collected by net security watchdog SANS.

The numbers of machines on these networks varied widely, said Professor Van Eeten, but infected rates on individual networks were quite stable over time relative to each other.

What was also clear from the research, he said, was that ISPs were not going to be able to clean up the large numbers of infected machines without some kind of central aid. In Holland, ISPs have dramatically increased their efforts but are still only cleaning up about 10% of infected machines.

At the moment, he said, two bottlenecks were preventing ISPs doing more to clean up machines.

The first, he said, was the lack of comprehensive data about the numbers and location of infected machines.

An initiative by the Australian government to pool data on infections and provide it to the nation's ISPs showed how this could be overcome, said Prof Van Eeten.

"The second bottleneck is that it costs money to notify customers and get them to clean up their machine," he said.

"An incoming call is very costly especially as those kinds of calls need experts," he said. "ISPs can completely lose their profit margin on a customer like that."

South Korean and Germany had tackled this problem, he said, by setting up national call centres to which ISPs can refer infected customers where they can get advice about disinfecting their machine. The call centres are publicly funded - though Germany will only pay for its centres temporarily.

"Governments can be very helpful," he said.

Prof Van Eeten said the numbers and prevalence of botnets suggests we should perhaps see them as the modern-day equivalent of the epidemics that struck in Victorian times and prompted the creation of government-backed vaccination schemes.

A similar system delivering a digital vaccine might again be part of the solution, he said.

Powered by WizardRSS | Best Membership Site Software

Auction of codebreaker's papers

23 November 2010 Last updated at 04:19 ET

Papers published by World War II codebreaker Alan Turing are expected to fetch about �500,000 at auction later.

The Manchester University scientist, who killed himself in 1954, created a machine at Bletchley Park to crack messages in the German Enigma code.

Last year, the then prime minister Gordon Brown gave him a posthumous apology for the "appalling" treatment he received for being gay.

The documents will go under the hammer at Christie's in London later.

Turing, who has been called the "father of the computer", published only 18 papers in his short career.

He was prosecuted for having a sexual relationship with a man and two years later he committed suicide by biting into an apple which he had laced with cyanide.

He was found dead at his home in Wilmslow, Cheshire, where a plaque has been erected to pay tribute to him.

Since it was announced that the papers were going to be sold, IT journalist Gareth Halfacree has been trying to raise the cash to buy them and donate them to Bletchley Park Trust in Milton Keynes.

So far he has raised �85,000 having just received a �62,784 donation from Google.

"We are still a bit short of what we need but I still hope that Microsoft or Apple might donate at the last minute," Mr Halfacree said.

Bids for the collection, which contain his first published paper, his pioneering work on artificial intelligence and the very foundations of the digital computer, have to be submitted by 1030 GMT.

They will go under the hammer at 1400 GMT.

Mr Halfacree added: "If we do not raise enough, which is looking increasingly unlikely, I hope whoever buys it donates the papers to Bletchley Park so we can all benefit from them."

He said the money he has raised so far will still go to the trust whether it is used to buy the papers or not.

Powered by WizardRSS | Best Membership Site Software

Challenge to Twitter 'joke' trial

22 November 2010 Last updated at 11:26 ET

A man who was convicted and fined for a Twitter message threatening to blow up an airport has said he will take his case to the High Court.

Paul Chambers was convicted in May for sending a menacing electronic communication.

A recent appeal failed to overturn the conviction, sparking outrage amongst Twitter users.

The 27-year-old accountant will now be represented by high-profile human rights lawyer Ben Emmerson.

The challenge will centre on whether or not section 127 of the Communications Act, under which he was convicted, was "appropriately applied".

Mr Chambers and his lawyers have until 2 December to challenge the conviction.

His lawyers regard Mr Chambers' conviction as a test case, as it was the first time that the Communications Act was applied to an offence on a social network.

"We want to establish what constitutes a menacing communication, what should be the level of intent required for the offence to be committed, and whether or not Paul's message was sent by means of a public electronic communications network," said David Allen Green, his solicitor.

Doncaster Crown Court recently upheld his original conviction causing a wave of outrage on Twitter, with thousands of supporters retweeting Chambers' message, which read: "Crap! Robin Hood airport is closed. You've got a week to get your shit together, otherwise I'm blowing the airport sky high!"

The so-called "I'm Spartacus" campaign was inspired by the famous scene in the 1960s blockbuster, when slaves stood up one by one to claim "I'm Spartacus" in order to save their fellow gladiator from detection.

Powered by WizardRSS | Best Membership Site Software

Stuxnet 'hit' Iran nuclear plans

22 November 2010 Last updated at 05:17 ET

The Stuxnet worm might be partly responsible for delays in Iran's nuclear programme, says a former UN nuclear inspections official.

Olli Heinonen, deputy director at the UN's nuclear watchdog until August, said the virus might be behind Iran's problems with uranium enrichment.

Discovered in June, Stuxnet is the first worm to target control systems found in industrial plants.

Iran has denied that delays to its nuclear plans were caused by Stuxnet.

Technical problems

Interviewed by Reuters, Mr Heinonen said there were many reasons for the ongoing delays at Iran's Natanz uranium enrichment plant - a key part of the nuclear power generation process.

Uranium is typically enriched or concentrated by being spun in centrifuges at high speed.

Mr Heinonen said the technical complexity of creating centrifuges had also contributed to the delays in Iran's nuclear programme.

"One of the reasons is the basic design of this centrifuge... this is not that solid," said Mr Heinonen, a former deputy director at the International Atomic Energy Agency (IAEA).

Quizzed about whether Stuxnet could have contributed to the delays, he said: "Sure, this could be one of the reasons... there is no evidence that it was, but there has been quite a lot of malfunctioning centrifuges."

Analysis carried out by security firm Symantec shows that a Stuxnet-infected controller in an industrial plant would make the devices it was connected to run at very high speeds almost indefinitely.

Symantec's research also suggests that Stuxnet was designed to hit motors controlling centrifuges and thus disrupt the creation of uranium fuel pellets.

Figures gathered by security firms show that 60% of all the infections caused by Stuxnet were on machines in Iran.

An IAEA report released in September shows that about 160 centrifuges in Iran's nuclear plants had been taken offline in only a couple of months. No reasons were given for the devices being shut down.

However, Iran has always denied that the Stuxnet worm had anything to do with the ongoing delays to its nuclear power programme. Iran's Bushehr nuclear power plant is due to start generating power in Janaury 2011, two months later than originally planned.

Powered by WizardRSS | Best Membership Site Software

Code clues point to Stuxnet maker

19 November 2010 Last updated at 07:07 ET By Mark Ward Technology correspondent, BBC News

Detailed analysis of the code in the Stuxnet worm has narrowed the list of suspects who could have created it.

The sophisticated malware is among the first to target the industrial equipment used in power plants and other large scale installations.

New research suggests it was designed to disrupt centrifuges often used to enrich uranium.

Forensic analysis of the worm has revealed more about the team behind it and what it was supposed to do.

Code secrets

The close look at the code inside Stuxnet was carried out by Tom Parker from security firm Securicon who specialises in picking out the digital fingerprints hackers leave behind in malware.

His analysis of Stuxnet shows it is made of several distinct blocks. One part targets industrial control systems, another handles the worm's methods of spreading itself and another concerns the way its creators planned to communicate with and control it.

The most sophisticated part of Stuxnet targeted the Programmable Logic Controllers used in industrial plants to automate the operation of components such as motors or pumps.

Subverting PLCs required detailed knowledge of one manufacturer's product line, the programming language written for it and insight into how it could be subverted. That meant, said Mr Parker, the list of suspects was pretty short.

"I do believe the PLC components were written in the West," he said. "It's western companies that are investing most heavily in automation of industrial processes, whether it's putting coke in cans or nuclear enrichment."

"However, the bits that drop it into a system and the command and control parts are not that advanced at all," said Mr Parker.

"I've compared this less advanced code to other malware and it does not score very highly," he said.

Dedicated hi-tech criminals would not have used such crude methods of distribution and control, he said, suggesting that it was put together by a nation rather than organised crime.

What this implies, he said, is that whichever country put Stuxnet together commissioned the creation of the PLC part from a Western nation, then added its own distribution and control code to it.

The analysis suggests that a team of 6-10 people were behind Stuxnet and were involved with it for some time. Whoever wrote it would also need information about and access to industrial plants in Iran if that was the actual target, said Mr Parker.

Motor control

More information has also emerged about how Stuxnet disrupts the industrial control systems it managed to compromise.

Research by security firm Symantec has shown that the likely target were frequency controllers that many PLCs are hooked up to in order to regulate a motor.

In particular, said Symantec, Stuxnet targeted those operating at frequencies between 807 and 1210Hz.

"There's a limited amount of equipment operating at that speed," said Orla Cox, security operations manager at Symantec. "It knew exactly what it was going after."

"Those operating at 600hz or above are regulated for export by the US because they can be used to control centrifuges for uranium enrichment," she said.

If Stuxnet did manage to infect a PLC connected to a centrifuge, it would seriously disrupt its working, said Ms Cox.

What is not clear, said Ms Cox, is whether Stuxnet hit its target. If it did not, she said, then the fact that the command and control system has been taken over by security firms has ended any chance of it being used again.

"Our expectation is that the attack is done at this point," she said. "We've not seen any more variants out there and I don't suspect we will."

Mr Parker said that whoever did write it failed in one respect because Stuxnet has not stayed live for as long as its creators hoped.

The control system set up needed to have been in place for years to have a seriously disruptive effect on its intended targets, he said.

"Someone has serious egg on their face because they are never going to be able to use this investment ever again," he said.

Powered by WizardRSS | Full Text RSS Feeds

Internet 'could kill jury system'

19 November 2010 Last updated at 09:46 ET

The jury system may not survive if it is undermined by social networking sites, England's top judge has said.

In a lecture published on Friday the Lord Chief Justice, Lord Judge, raised major concerns about the use of the internet by jurors.

He said: "If the jury system is to survive as the system for a fair trial... the misuse of the internet by jurors must stop."

Lord Judge said some jurors had used the internet to research a rape case.

Earlier this year a judge in Manchester had to dismiss a jury and restart a trial, The Sun reported, after a juror went onto her Facebook page, gave details of a trial and asked friends: "Did he do it?"

Lord Judge, who is the most senior judge in England and Wales, said it was too easy for campaigners to bombard Twitter with messages in a bid to put pressure on jurors who might be looking at it.

Continue reading the main story

"Start Quote

We cannot accept that the use of the internet, or rather its misuse, should be acknowledged and treated as an ineradicable fact of life, or that a Nelsonian blind eye should be turned to it or the possibility that it is happening"

End Quote Lord Judge Lord Chief Justice

He said: "We cannot stop people tweeting, but if jurors look at such material, the risks to the fairness of the trial will be very serious, and ultimately the openness of the trial process on which we all rely, would be damaged."

Lord Judge added: "We cannot accept that the use of the internet, or rather its misuse, should be acknowledged and treated as an ineradicable fact of life, or that a Nelsonian blind eye should be turned to it or the possibility that it is happening.

"If it is not addressed, the misuse of the internet represents a threat to the jury system which depends, and rightly depends, on evidence provided in court which the defendant can hear and if necessary challenge."

He said judges need to warn jurors in the strongest terms not to use the internet to research cases or to give details of cases they are deliberating on.

He wants the notice in jury rooms to be amended to include a warning that such research could amount to a contempt of court. He raised the prospect of sentencing jurors who use the internet for research.

Lord Judge even suggested sending text messages from court buildings should be banned.

The BBC's Legal Affairs Analyst, Clive Coleman, said: "This is the strongest and most detailed judicial consideration of the threat to the criminal justice system posed by jurors using modern technology. It raises major questions of how to police and stop internet use."

Powered by WizardRSS | Full Text RSS Feeds

Google's wi-fi data to be deleted

19 November 2010 Last updated at 11:21 ET

The UK's information commissioner has said that wi-fi data accidentally collected by Google's Street View cars will be deleted "as soon as possible".

Deputy information commissioner David Smith told the BBC that there would be no further enquiries into the matter.

He said there was no indication that any information collected "had fallen into the wrong hands".

It will not appease critics who called for the search giant to be fined.

There were no grounds for fining Google, Mr Smith told the BBC.

"We'd have had to find that there was substantial damage or distress to individuals from the collection of snippets of e-mails, URLs and passwords. We'd have to meet that criteria for a penalty to be imposed," he said.

Google admitted earlier this year that it had accidentally collected information from unsecured wireless networks around the world.

The incident came to light during a routine audit by the Hamburg data authority.

It led to dozens of enquiries with some - notably the Canadian data commissioner - offering detailed findings about the nature of the breaches.

The Canadian investigation found that Google captured personal information, including a list of names of people suffering from certain medical conditions.

Canadian privacy commissioner Jennifer Stoddart said thousands of Canadians had been affected.

The findings led her to conclude that the search giant "seriously violated" its privacy laws.

More training

Mr Smith admitted that the UK had conducted a much more basic investigation.

"We spent less time searching than others did. If we had searched for days and days we would have found more," Mr Smith said.

Following this audit, the ICO ruled that "no significant breach" had occurred.

But following publication of the Canadian data commissioner's findings, the ICO changed this to a "significant breach".

Mr Smith said that the ICO had intended all along to base its final judgement on the findings of its counterparts.

"It is not a good use of the data protection authority to duplicate more in-depth enquiries," he said.

"We have based our decision on the findings of other data authorities. It was exactly the same type of information found by them," he said.

Mr Smith revealed that the ICO is only able to audit companies that have given prior permission for such an investigation.

Jim Killock, executive director of digital advocacy The Open Rights Group, thinks this is a "shocking state of affairs".

"The ICO needs more powers and definitely needs more technical expertise," he said.

"To my mind people's privacy has been breached and they should be told about it. The ICO has a duty to let people know what has happened," he said.

Mr Killock believes that Google's data breach is more akin to unlawful interception, similar to opening someone's post without permission.

The UK currently has no public body to investigate interception breaches, a gap that that led the European Commission to launch legal action against it.

The Home Office is currently consulting on how to make sure it complies with European legislation on the interception of communications.

Following the ICO's ruling, Google has promised to offer privacy training to its staff.

Other data bodies and groups around the world are still investigating its capture of wi-fi data.

Mr Killock is hopeful there will be harsher punishments for Google down the line.

"I should hope it would be fined," he said.

Powered by WizardRSS | Full Text RSS Feeds