I am all your hacking needs

I frequently reject comments that I consider to be spam or gratuitous advertising. In fact, between us, me and Akismet have denied around 20,000 comments – and counting. But Akismet missed this one – correctly, I suppose, because it’s not spam. It’s advertising. Now my arbitrary policy on gratuitous advertising is to ask myself, will it be of use to the reader? If it will, then I allow it. If not, I deny it.

But this one? Well, I suppose it might be of help to some readers…

security audit of your website(s) HACKING OF WEBSITES & Hacking Accounts which include facebook,twitter this is pretty easy,myspace,skype,and email ids.I require either a Name, Friend ID, or E-mail address of the targets account(s). I have the help of a current 0-Day Exploit that allows me to gain remote access to the website servers and from there I find the password which is usually in an MD5 hash, from that I must decrypt to get the real password. The entire process takes about 30 minutes-1 hour to complete. All passwords are tested out 3 times before they get issued to any clients.I also rip Standards from websites.I accept payment through LR (Liberty Reserve) Only.I hardly ever USE WESTERN UNION!
YOU CAN REACH ME ON :kxxxxxxxx3@yahoo.com (SEND ME AN IM THROUGH Y! MESSENGER OR MAIL)i also sell bank logins and credit cards

for your daily hacking problems AND ALSO coperate problems contact kxxxxxxxx3@yahoo.com

Circumventing Twitter’s censorship

Twitter’s announcement that it will start censoring tweets where required by the law of the country concerned has upset many people. It is, however, difficult to know what else the company can do: the law is the law; and surely some twitter is better than no Twitter at all.

But maybe Twitter is better than we thought: The Next Web has pointed out that its own help files explain how to circumvent the censorship. Tweets will be censored on a country basis. Twitter understands the user’s country by the user’s IP address. But since this isn’t foolproof, especially on mobile devices, Twitter allows the user to manually change his or her country settings via a simple drop-down box.

The implication is that if you start finding ‘Withheld’ tweets in your timeline, simply telling Twitter that you are really in a different country with a less censorious regime will reveal them. It is, according to The Next Web, as simple as that.

What happens next will be telling. If this is just a loop-hole, we can expect Twitter to try to close it. But it’s difficult to imagine that Twitter doesn’t know its own system, and even more difficult to see what it can do about it. Purely relying on IP addresses will leave open the possibility of censoring tweets in or from countries that believe in freedom of expression.

The EU and the UK cannot have signed ACTA: neither the BBC nor the Europa press service know anything about it

Isn’t it strange that the BBC reports that “Thousands of protesters have taken to Poland’s streets over the signing of an international treaty activists say amounts to internet censorship”? And then goes on to say that “Poland was one of several European Union countries, including Finland, France, Ireland, Italy, Portugal, Romania and Greece, to sign the treaty on Thursday but it appeared to be the only place where it caused protest.”

Very strange since the BBC is probably the UK’s leading news service and certainly the UK’s national news service paid for by the UK people – and it omits to mention that the UK also signed this document at the same time in the same place in Tokyo.

Isn’t it strange that the EU’s news service says nothing about it also signing the ACTA agreement at the same time in the same place in Tokyo?

And that neither news service seems to be aware that Kader Arif, the appointed rapporteur for ACTA in the European Parliament, has resigned in protest, saying he will not take part in this masquerade?

Conspiracy of silence? Too damn right.

UPDATE
And finally the BBC catches up – 24 hours after the news breaks. The BBC is supposed to let the cat out of the bag, not chase after it when it escapes.

Is this the new national DNA identity database?

You have to look long and hard, but eventually you find it. There, on page 51 of ‘Building on our inheritance – Genomic technology in healthcare’ is the one and only mention of the national whole genome sequence database. From the beginning you know it must exist. The report talks throughout about the benefits that will accrue to mankind from the widespread use whole genome sequence research; but it only makes sense if the data is complete and freely available. But not until page 51, and only on page 51, is the national genome database mentioned.

This would not necessarily require data stored locally: patient sequence data could be stored securely in a national database, making it accessible to the centres but also to the patient’s physician or GP.

let’s be clear: this is a national DNA database. But it’s OK, because this is for health rather than law enforcement. And it will, yeah right, only be available to health officials, and health researchers, and pharmaceutical companies and academics and probably anyone who pays for it – internationally. The report makes very clear that if national research is good, international research is very much better.

It is, in effect, a national DNA database writ large. It has all the worst elements of the police DNA database combined with the NHS central records database and will undoubtedly cost a great deal more than both and be more dangerous and insecure than either.

And for what? “Government should not be duped by hype about genomics: some useful applications will exist but most diseases in most people and many adverse drug reactions are not predictable from people’s genes,” said Dr Helen Wallace, Director of GeneWatch UK. “Storing personal genomes for no reason would lead to a massive marketing scam, based on selling drugs to healthy people who are told they are at risk of getting diseases in the future.”

My concern is that government is quite relaxed about a new national DNA database from which it will gain all the benefits with none of the blame; that, in effect, a national genome database is already a conspiracy between government and the pharmaceutical companies in just the way that ACTA and DEA and SOPA and PIPA and others are a conspiracy between governments and the entertainment industry.

Last week’s stories on Infosecurity Magazine

The news stories written for Infosecurity Magazine last week are:

• Law Society tougher than the ICO on Andrew Crossley
• Mixed but depressing findings in European corporate governance recruitment
• Ransomware pretending to be law enforcement
• Olympic security dossier left on London train
• Voice biometrics will be the authentication of choice, says Opus Research
• SP Toolkit illustrates the dangers inherent in many security audit tools
• HMRC’s failure to recruit security staff shows education must change
• Ten years of Microsoft’s Trustworthy Computing initiative: Has it delivered?
• A road-map towards meaningful security data sharing
• Research by Sophos reveals the gang behind Koobface
• Children’s online games used to distribute malware
• AXA global insurance company adopts data analytics to reduce fraud
• Health Software firm develops Android app while NHS warns on tablet security
• New version of Sykipot malware targets DoD smart cards
• How DarkCoderSC reveals SFX files methodology

Absinthe – jailbreaking the Apple 4S

There is a new jailbreak for the Apple 4S called Absinthe (a strong alcoholic drink prepared from wormwood and largely banned for its toxicity). I have written about this for Infosecurity Magazine here.

But what I want to consider now is perhaps more philosophic: is a jailbroken iPhone basically an Android? Opinions vary.

David Harley, the independent researcher behind the Mac Virus website, thinks ‘not really’. Jailbreaking alters the Apple’s kernel. If this is done you would get no further support from Apple. As a result, software that really requires co-operation between the developer of the software and the developer of the hardware would be at a disadvantage. Anti-virus software running on a jailbroken Apple, for example, would suffer. “So no,” he says, “jailbreaking isn’t precisely analogous to an unrooted Android: while most Android AV is pretty patchy in performance, you can get AV that could be described as commercial standard.”

Luis Corrons

But yes, thinks Luis Corrons of PandaLabs. “At the end of the day, the main difference between both platforms is that Android gives me, as a user, the option to decide what applications I want to install.” Confirming his view, Luis has a jailbroken iPad 1 and used to use a jailbroken iPhone 3GS (which he has now replaced with an Android Galaxy SII).

David Emm

Kaspersky’s David Emm has a similar view. “It’s the commercial models taken by Apple and Google that are different.” The result of these commercial differences is that a jailbroken Apple has access to hundred of thousands of secure apps plus a few hundred unknown apps from Cydia Store. Android users have access to hundreds of thousands of unknown apps. The inference I draw, unstated by David, is that a jailbroken iPhone remains more secure, albeit more restricted, than an Android.

So what can we conclude? Not a lot really. If you jailbreak an iPhone you can technically gain the freedom inherent in an Android – but since most users will still be limited to third-party apps, you don’t gain many more. And you lose the security of the iPhone. In the final analysis, you simply pay your money and take your choice: Apple if you want security; Android if you want freedom. Jailbreaking seems to give you neither.
Kaspersky
PandaLabs
Absinthe download (unchecked, unverified)

Public sector data breaches: what should be done?

Should staff, not the taxpayer, pay fines for public sector data breaches? This is a question posed by UKauthorITy, a publisher of IT related news for the local sector. It quotes the TaxPayer’s Alliance:

Of course people in these situations should be held personally liable as if the council is fined, then that fine is paid for out of the local council taxes. It essence it is a double tax – once for collecting/storing the data and again for losing it.
Should staff, not the taxpayer, pay fines for public sector data breaches?

Grant Taylor, UK VP of CryptZone is agin the idea of fining the staff rather than the organization, and puts forward a strong case. “If the penalties are applied to nominated senior managers in the relevant NHS trust, council or other government agency – as is the case with corporate responsibility, for example within transportation authorities – then the public sector could be forced into building liability insurance remuneration into management salaries, as has been required by medical professionals for some time,” he argues. This will simply have the effect of “moving the cost of data breach penalties across the government spreadsheet – with the taxpayer continuing to foot the bill.”

Grant believes that education and open discussion is the solution. “But to reduce the argument to individual ICO penalties within the workforce would only result in the departure of the most talented member of staff – who will be streamed off into the private sector – with predictable results. This is what makes this argument something of a non-starter in our opinion,” he concludes.

I sort of agree; but I don’t think education will ever be enough to protect our data. The bottom line is the current arrangements just are not working. Personal data continues to be lost, councils are fined, and the ‘double tax’ described by the TaxPayer’s Alliance is a reality. But potential remedies exist, and always have existed, without any action from the ICO. It is the concept of responsibility – when things go wrong, there is always someone at fault.

Consider this. Organizations will have procedures that are part of the security policy and part of the employment contract. If these procedures are followed, then data will not be lost. If they are followed and data is still lost, then the author of the procedures is responsible because he or she simply didn’t do the job properly. If the procedures are not followed and data is lost, then the person who loses the data is responsible because he or she didn’t follow procedures. Because the procedures are part of the employment contract, failure to follow them is a disciplinary offence. It’s not a case of the ICO fining individual staff, it’s a case of the organization sacking staff who haven’t done their job.

The advantage of this simple approach is that it doesn’t frighten off good staff (good staff will always be confident in their own abilities), but it does weed out poor staff. And it doesn’t cost the taxpayer an additional penny.

There are even in-built safeguards in this approach. Organizations always have bullies. Middle managers at fault will generally blame their staff. But that’s why we have employment protection laws and tribunals. If a scapegoat is selected and sacked to protect a manager, that scapegoat has recourse to the law. So we don’t need to fine individual staff or the organization. We don’t even need the ICO. We just need to do what we always could do: in the event of a data breach, the person responsible should automatically be sacked.

CryptZone

The commercialisation of the Olympic spirit

The extent to which the legitimate protection of rights begins to overlap outright censorship is a concern. We all know about large-scale developments such as SOPA in the USA and the Digital Rights Act in the UK, where the pretext of defending rightsholders can easily be used by government to take down and censor the bits of free speech it doesn’t like. But the contagion is spreading (hat tip to Guido for highlighting it).

The International Olympic Committee (IOC) has issued what it calls ‘guidelines’ but what are actually instructions in a document titled IOC Social Media, Blogging and Internet Guidelines Instructions for participants and other accredited persons at the London 2012 Olympic Games. The document itself is fully copyrighted, so the IOC could tell me to remove this.

IOC guidelines for journalists/bloggers

Guido highlights section 2:

2. Postings, Blogs and Tweets
The IOC encourages participants and other accredited persons to post comments on social media platforms or websites and tweet during the Olympic Games, and it is entirely acceptable for a participant or any other accredited person to do a personal posting, blog or tweet. However, any such postings, blogs or tweets must be in a first-person, diary-type format and should not be in the role of a journalist – i.e. they must not report on competition or comment on the activities of other participants or accredited persons, or disclose any information which is confidential or private in relation to any other person or organisation. A tweet is regarded in this respect as a short blog and the same guidelines are in effect, again, in first-person, diary-type format.

Postings, blogs and tweets should at all times conform to the Olympic spirit and fundamental principles of Olympism as contained in the Olympic Charter, be dignified and in good taste, and not contain vulgar or obscene words or images.

Such instructions are, frankly, a bloody nerve; and I would dearly love all journalists to decline to become ‘accredited’ in response. But the bit that really bothers me is this:

The IOC will continue to monitor Olympic on-line content to ensure that the integrity of rights-holding broadcasters and sponsor rights as well as the Olympic Charter is maintained…

and if not

The IOC reserves all its right to take any other appropriate measures with respect to infringements of these Guidelines, including issuing a Take Down Notice…

Take down? The Olympic spirit has degenerated into a threat to take down stories/websites it doesn’t like? Jesse Owens wept!

If in doubt – don’t

I had the following email from a friend.

Email message

This friend is big in the Truth movement – so ‘persuasion’ is strong in his agenda. He also collects, distributes and televises independent ‘truth’ videos. So it’s all reasonable, and because of the friendship I’m tempted to view.

But…

He doesn’t usually SHOUT. He invariably says ‘hello’ and ‘how are you’ – and we haven’t spoken since before the holidays. His grammar is usually a bit better, and a belated ‘happy new year’ would be typical.

So I had a niggle. Rather than checking the video I checked the sender.

Hi Friend

Happy new year! Can you confirm you sent me this?

If you did, I’ll have a gander. If you didn’t, you’ve been hacked…

Within half an hour I got a reply:

Happy new year.

I’ve been hacked!

The link in the email is redirected here, by the way. I didn’t, and wouldn’t recommend, going any further. In fact, I wouldn’t recommend going this far…

Scam email destination

The moral to this tale is simple: Look before you Link.

This week’s news stories on Infosecurity Magazine

Apart from this blog, I also do online news for Infosecurity Magazine. Each weekend I shall list here the news stories I’ve written for the magazine.

This week’s stories are:

PwC report shows public sector fraud rising globally
Cyber risk now in the top five global risks
European SMBs lack formal disaster recovery plans
Has India got backdoors into Rim, Nokia and Apple? Probably
Malicious URLs being disguised by QR codes
UK Fraud in excess of £2bn per annum
Spam site becomes one of the most popular locations on the web
Security concerns are slowing but won’t stop the growth of instant messaging
Game cheat keys can be dangerous: this one is a rootkit
December VIPRE Report suggests that old phishing tactics are best
ESET’s latest ThreatSense Report shows that business still doesn’t patch
No connectivity means no cloud AV: true or false?
FBI issues a new warning about the Zeus variant called Gameover
The Stratfor breach exposes the emails of hundreds of military and defense personnel
Internet action against SOPA under discussion within Net Coalition