SEARCH CLINIC

The UK has been subject to a “disturbing” number of cyber attacks, the director of communications intelligence agency GCHQ has said.Sensitive data on government computers has been targeted, along with defence, technology and engineering firms’ designs according to Iain Lobban the GCHQ chief.

There was a “significant” unsuccessful internet based attack on Foreign Office computer systems this summer, he added.

Tomorrow the government hosts a two day conference on the issue.

Foreign Secretary William Hague convened the London Conference on Cyberspace after criticism that ministers are failing to take the threat from cyber warfare seriously enough.

It aims to bring together political leaders, such as US Secretary of State Hillary Clinton and EU digital supremo Neelie Kroes, with leading cyber security experts and technology entrepreneurs such as Wikipedia founder Jimmy Wales and Cisco vice-president Brad Boston.

Mr Hague believes a “global co-ordinated response” is required to forge policy on cyber development.

Writing in the Times, Mr Lobban said such an inclusive approach was vital.

“The volume of e-crime and attacks on government and industry systems continues to be disturbing,” he wrote.

“I can attest to attempts to steal British ideas and designs – in the IT, technology, defence, engineering and energy sectors, as well as other industries – to gain commercial advantage or to profit from secret knowledge of contractual arrangements.

“Such intellectual property theft doesn’t just cost the companies concerned; it represents an attack on the UK’s continued economic wellbeing.”

Mr Lobban added that government online taxation and benefits services could be targeted in future, and said a black economy had already developed which saw UK citizens’ credit card details offered for sale.

The Ministry of Defence foiled more than 1,000 cyber attacks in the last year from criminals and foreign intelligence services.

The Foreign Secretary William Hague revealed in February that computers belonging to the government have been infected with the “Zeus” computer virus after users opened an e-mail purporting to come from the White House and followed a link.

He said cyberspace was providing “rich pickings” with UK defence contractors also being targeted.

A leading think tank, Chatham House, has said there is a reluctance by government to share information with the private companies that might be targeted.

It also criticised those same companies for putting up with an “unacceptably high level of risk”.

The government says it ranks cyber security as a top priority.

Last year it announced £650m of additional funding to help tackle computer-based threats.

Around £130m, or 20%, is specifically earmarked for critical infrastructure projects.

Gmail users got another reminder that Google’s personal data policies are suspect when it was revealed that Google handed over one user’s private data to the U.S. government- who had asked for it without a court order.The contacts list and IP address data of Jacob Appelbaum, a WikiLeaks volunteer and developer for Tor was given to the U.S. government after they requested it using a secret court order enabled by a controversial 1986 law called the Electronic Communications Privacy Act, according to the Wall Street Journal.

The law allows the government to demand information from ISPs not only without a warrant, but without ever notifying the user.

Sonic.net, a smaller ISP who was also asked to hand over data related Appelbaum, tried to challenge the order in court, but ultimately lost and was to give up the information. It’s not known if Google resisted the request, but both companies did try to ensure that Appelbaum could at least be made aware of the data retrieval.

According to the company’s own Transparency Report, Google received 4,601 user data requests from the U.S. government in the second half of 2010, and it complied with 94% of them.

Those requests include warrantless inquiries as well as those accompanied by a search warrant.

The idea of an ISP handing over user data to governments without the aid of a search warrant has some troubling implications for privacy advocates and civil liberties proponents.

In the WikiLeaks case, the line between advocates and participants in the transfer of data can sometimes be blurry. If in its ongoing investigation into WikiLeaks the U.S. Department of Justice is free to ask Google, Twitter or Facebook for private data without users’ knowledge, who’s to say they can’t access private information about people who have merely expressed sympathy for the organization?

Tech companies haven’t necessarily rolled over and played along with the issue.

When the Department of Justice made a similar WikiLeaks-related request of Twitter in December, the company succeeded in having the order unsealed, meaning it was at least able to notify users about the request.

The new web browser designed by Amazon for its Kindle Fire tablet has sparked security concerns that the firm will be able to track users’ every online webpage.The new browser, Amazon Silk, uses the firm’s network of giant data centres to pre-load web pages before they are delivered to the device.

According to Jeff Bezos, Amazon’s founder and CEO, this “split browser” approach will offer “ultra-fast” mobile web access. It will reduce the computation required from the Kindle Fire’s processor, which is lower performance than that of Apple’s iPad 2.

But it also means that Amazon’s systems will keep a record of every single web page that Kindle Fire users visit, which could be used to profile their interests for advertising and other commercial purposes. The records will also be subject to data requests from police and intelligence agencies, as the relatively limited data held by broadband providers.

The browser will even aim to predict your next move in its effort to shave milliseconds off loading times, by learning how users tend to browse individual websites.

“All of your web surfing habits will transit to Amazon’s cloud,” said Chester Wisniewski, of the British computer security firm Sophos.

“If you think that Google AdWords and Facebook may be watching you, this Amazon service is guaranteed to have a record of everything you do on the web.”

Amazon’s approach is similar to that of Opera Mini, a mobile browser available on Android, iOS, Symbian and Windows Mobile smartphones. Its Norwegian developer, Opera, also pre-loads and compresses web pages to speed up browsing and cut the amount of 3G bandwidth that smartphones consume.

Unlike Amazon, however, Opera has undertaken not to keep records of the web pages Opera Mini users access or profile their individual browsing habits.

“The system brings with it a need to reassure people that their privacy is being protected,” said Pål Unanue-Zahl, Opera’s communication manager.

The terms and conditions announced for Amazon Silk provide no such reassurance.

“Amazon Silk also temporarily logs web addresses for the web pages it serves and certain identifiers, such as IP or MAC addresses, to troubleshoot and diagnose Amazon Silk technical issues,” they say, adding that users are also subject to Amazon’s broad privacy policy. It allows users’ personal information to be exploited for a host of commercial purposes.

“We generally do not keep this information for longer than 30 days,” the Amazon Silk terms and conditions say.

The new browser will also pose a challenge to website owners, including some of Amazon’s major rivals.

When a user directly accesses a website from a normal browser, the website typically logs their IP address. These unique numbers are used by firms to track where their visitors come from, and for other commercially-useful traffic analyses.

But when a Kindle Fire user accesses a website, all the website will be able to log is an IP address for one of Amazon’s network of giant data centres.

The users’ IP address will go no further than the dominant online retailer.

Given the rapid growth in mobile browsing, and Mr Bezos’ plan to sell “many millions” of Kindle Fires this year alone, rivals such as Google, whose advertising business relies heavily on being able to target individuals, will miss out on valuable data.

“If you buy a Fire device, think carefully as to whether your privacy is worth trading for a few milliseconds faster web surfing experience,” said Mr Wisniewski.

Facebook has outlined plans to encourage users to share more of the media they consume – including music and movies with friends- as well as once again changing their users’ security options.Its founder Mark Zuckerberg also unveiled a dramatic redesign to the website, replacing user profiles with an audio visual timeline of their life.

The updates were revealed at Facebook’s annual F8 developer conference.

A wave of new features in recent weeks have been welcomed by some users and caused annoyance to many others.

Facebook’s latest changes point to a desire to keep users engaged through new features, in the midst of rapid innovation from social networking rivals.

The site’s application platform has been redesigned to allow users to share what they are consuming on streaming music services such as Spotify, and the movie rental site Netflix.

Depending on privacy settings, users will be able to see what friends are doing – for example, playing a song – then listen-in themselves.

Mr Zuckerberg said he wanted to create, what he called, “real time serendipity”.

“Being able to click on someone’s music is a great experience, but knowing you helped a friend discover something new and they liked your taste in music, and that you now have that in common is awesome,” he added.

Facebook said that users would only be able to do as much on the site as its media partners allowed in each country, so free music sharing through streaming apps would only work where that service was already available outside Facebook.

Alongside the deeper integration of media content, the restyling of Facebook’s profile pages is also likely to prove a hot topic among users.

Identities will now be defined through a densely packed vertical timeline of major life events, made up of photos, videos and other items. The level of detail diminishes the further down a reader scrolls.

Profile pages had previously been limited to basic information along with a stream of every single item posted by a user.

Facebook stressed that all of its new offerings could be controlled by members using its recently simplified privacy controls.

In particular, it stressed that timeline items could be modified within the new “activity log”, allowing users to limit who can view certain events from their past.

The updates are expected to start appearing on users’ computers in coming weeks.

Misspellings are being tracked to find security information- a missing dot in an email address might mean messages end up in the hands of cyber thieves, researchers have found.By creating web domains that contained commonly mistyped names, the investigators received emails that would otherwise not be delivered.

Over six months they grabbed 20GB of data made up of 120,000 wrongly sent messages.

Some of the intercepted correspondence contained user names, passwords, and details of corporate networks.

About 30% of the top 500 companies in the US were vulnerable to this security shortcoming according to researchers Peter Kim and Garret Gee of the Godai Group.

The problem arises because of the way organisations set up their email systems. While most have a single domain for their website, many use sub-domains for individual business units, regional offices or foreign subsidiaries.

Dots or full stops are used to separate the words in that sub domain.

For example a large American financial group may take bank.com as its corporate home but internally use us.bank.com for staff email.

Usually, if an address is typed with one of the dots missing, ie usbank.com, then the message is returned to its sender.

But by setting up similar doppelganger domains, the researchers were able to receive messages that would otherwise be bounced back.

Only one of the companies being impersonated noticed that spoofing was taking place and tracked down the researchers.

A clever attacker could cover their tracks by passing on the message to its correct recipient and relaying back any reply.

By acting as a middleman the likelihood of more messages being mis-sent using the “reply” function increases.

Follow-up work by the researchers revealed that some cyber criminals may already be exploiting keyboard errors.

A search uncovered many addresses resembling corporate sub-domains which were owned by individuals in China or linked to sites associated with malware or phishing.

Police say they stopped rioters after monitoring intelligence on social networks like Twitter and BlackBerry Messaging (BBM).Assistant Met Police Commissioner Lynne Owens told a committee of MPs officers learned of possible trouble via Twitter and Blackberry messenger.

He said they provided intelligence but could also be misleading.

A number of politicians, media commentators and members of the police force have suggested that Twitter and Blackberry Messenger (BBM) had a role to play in the riots.

The BBM system is popular among many young people because it is both private and secure – users are invited to join each other’s contacts list using a unique PIN, although once they have done so, messages can be distributed to large groups.

Ms Owens said officers had been attempting to sift through an “overwhelming” amount of “chitter chatter” on social networks during last week’s riots in London, but some had proved vital.

“Through Twitter and BBM there was intelligence that the Olympic site, that both Westfields [shopping centres] and Oxford Street were indeed going to be targeted,” she told the home affairs select committee. We were able to secure all those places and indeed there was no damage at any of them.”

Not only are RIM (Research in Motion, Blackberry’s owner) the most secure messaging operator, they’re also the most fastidious – they log everything. If you were a looter using a Blackberry, you’re going to get found out.

The police have the power to serve RIM with an order to reveal information. Under the same law, RIM are barred from disclosing whether they’ve done so or not.

But although RIM can’t say it themselves, I can say with confidence that they’ll be doing everything they can to help. It’s a reputation issue – these people are a tiny minority of their users and they want the remainder to see them doing all they can to track them down.

RIM don’t need to reveal the actual contents of messages in order do that. They can tell police who sent a message to whom and when. The police can then ask the network operators where that was done – and the sum total will probably be enough to be used as evidence.

If you know a Blackberry belonging to a suspect sent a message to 45 other Blackberries and then those 45 owners all turn up in Ealing or Tottenham an hour later, it’s clear what’s going on.

And while much of the information coming via social media “was obviously wrong and rather silly”, he said police did considered trying to shut the networks down in order to prevent them being used to organise further violence.

Blackberry has offered to co-operate with police investigating the riots – prompting attacks by hackers angry that the company could be prepared to hand over user data to authorities.

Researchers of the Quantum Hacking group at the Norwegian University of Science and Technology (NTNU), and the Centre for Quantum Technologies at the National University of Singapore have devised a way to circumvent security key codes which are vital to secure data transmissions.They have created- ‘Eve’ which is code breaking parlance for ‘eavesdropper’.

The researchers have used Eve to crack a type of coded communication thought to have been impossible to break, called quantum key distribution (QKD).

QKD is not an encryption algorithm itself, but a means of securely sharing the cryptographic keys used by sender and recipient to encrypt and decrypt messages.

These pre-agreed ciphers are frequently handed out over fibre optic connections, but being digital files, they could theoretically be intercepted and copied on the way.

QKD exploits a key principle in quantum physics – namely that you can’t measure or examine individual photons of light without altering their state.

When a user wants to exchange a secret key using QKD, they first send a message in specially coded photons to the other user. If an eavesdropper tries to intercept this, they destroy some information – and the communicators know someone is monitoring their communication.

The technique is so effective that it has attracted substantial investment from e-business, banking and defence.

Rather than reinventing science, Eve simply tricks the system by sitting between sender and receiver and intercepts the key, something that would normally be detected.

However, Eve dazzles the receiver’s detector with a laser so it can’t see individual photons. This allows her to send a faked copy of the photon message.

“We just use bright light. And the detectors do the same thing our eyes do – they’re blinded,” said Dr Makarov.

However, the sensors remain responsive to strong light. “If we now send a bright flash at them, they think they’re seeing a single photon,” said Dr Makarov. Eve uses these flashes to duplicate the photon message to the unsuspecting receiver.

Toshiba has since demonstrated how to repel the blinding attack, and QKD manufacturers have incorporated the improved design into their machines.

Yet Dr Makarov thinks that Toshiba’s update ignores wider vulnerabilities. “They made a fix which makes our crack ineffective. But there are other methods that can control detectors, even when patched,” he said.

Despite this, commercial QKD manufacturers – like Swiss firm ID Quantique – claim to ‘redefine security’ with their expensive products.

How do they react when researchers like Dr Makarov tip them off about new problems, and force hasty improvements to their designs?

A leading German privacy official has accused Facebook of using face recognition software in a manner that violates German and European law.Facebook was also scolded for collecting and storing biometric data without users’ consent

Johannes Caspar, a data protection expert with the city of Hamburg, called on the US-based social networking company to delete from its site the individual biometric data it has collected.

“If the users’ data falls into the wrong hands, it would be possible to compare and identify anybody captured in a photo taken with a mobile phone,” Mr Caspar told the Hamburger Abenblatt newspaper.

The programme allows Facebook users to locate new “Friends” after discovering their identity through a biometric data scan.

The programme tries to match data captured in a picture with the trove of data it has already collected from its hundreds of millions of users.

“This is what’s most problematic. The programme feeds off a stock of data designed to physically identify millions of users,” he said.

He further scolded Facebook for collecting and storing biometric data without users’ consent, insisting the practice violates privacy laws.

Germany, which is considered a leader on Internet privacy issues, has criticised Google for its “Street View” programme, which makes street-level images freely available online.

German officials also previously urged Facebook to beef up its privacy protections, notably over its Friend Finder feature, which allowed the site to register or even import users’ entire email address books without notifying them.

Police may be able to use rioters’ mobile phone information to help convict them.
Investigators can apply to see the contents of text and instant messages, as well as their location.

However, authorities may not be able to access the full wealth of data available to telecoms companies because of legal restrictions.

Guidelines require police to find out individuals’ identities first before obtaining records from trouble spots.

Research In Motion, maker of the BlackBerry smartphone, has already said that it will be cooperating with investigations, and pointed out that it is legally required to hand over subscriber information when it relates to criminal activity.

The company’s BBM instant messenger has been identified as one of the services used by rioters to coordinate their actions.

Under the Regulation of Investigatory Powers Act (RIPA), police can apply for details of a customer’s phone records, including their location, details of calls made and received, and internet activity.

Police would be unable to carry out a broad-based search, identifying, for example, every person who was in Clapham Junction sending the word “riot”.

Initial identification data would likely need to be taken from video, photographs, CCTV footage and other intelligence.

Those limits mean telecoms subscriber data becomes useful additional evidence, rather than a first port of call.

Despite the restrictions, some legal experts believe there is scope to push RIPA guidelines further than they have been in the past.

That basic information could be used to narrow down suspects worthy of further investigation, without violating either data protection or RIPA guidelines, he explained.

A High Court judge has ruled that BT must block access to the Newzbin website which provides links to pirated movies.
Newzbin is a members-only site which aggregates a large amount of the illegally copied material found on Usenet discussion forums.

The landmark case is the first time that an ISP has been ordered to block access to such a site.

It paves the way for other websites to be censored in the future.

In his ruling, Mr Justice Arnold stated: “In my judgment it follows that BT has actual knowledge of other persons using its service to infringe copyright: it knows that the users and operators of Newzbin 2 infringe copyright on a large scale, and in particular infringe the copyrights of the studios in large numbers of their films and television programmes.”

He continued: “It knows that the users of Newzbin 2 include BT subscribers, and it knows those users use its service to receive infringing copies of copyright works made available to them by Newzbin 2.”

BT and the Motion Picture Association (MPA), which brought the case, will be back in court in October to work out how the blocking will work. BT said it will not appeal the ruling.

The MPA which represents a number of movie studios including Warner, Disney and Fox, launched the legal action as a last-ditch attempt to close down Newzbin 2.

The MPA signalled its intention to pursue other ISPs.

Link sites such as Newzbin 2 are gaining popularity as those determined to get their hands on free content move away from traditional peer-to-peer downloading methods.

A previous court case had ruled that Newzbin 2′s predecessor must stop linking to free content but a new version of the site was set up outside of the UK’s jurisdiction in Sweden.

Justice Arnold ruled that BT must use its blocking technology CleanFeed – which is currently used to prevent access to websites featuring child sexual abuse – to block Newzbin 2.

The Internet Service Providers’ Association has been a fierce critic of web blocking. It said that using blocking technology designed to protect the public from images of child abuse, was inappropriate.

Digital rights organisation the Open Rights Group said the result could set a “dangerous” precedent.

“Website blocking is pointless and dangerous. These judgements won’t work to stop infringement or boost creative industries.

“And there are serious risks of legitimate content being blocked and service slowdown. If the goal is boosting creators’ ability to make money from their work then we need to abandon these technologically naive measures, focus on genuine market reforms, and satisfy unmet consumer demand,” said ORG campaigner Peter Bradwell.