Players at risk from game store hack

19 March 2013 Last updated at 07:02 ET

More than 10 million people thought to have accounts with Electronic Arts's (EA) Origin game store are at risk from a hack attack that swaps games for malicious code, researchers say.

In lab experiments, the researchers exploited a loophole in the way Origin handles links to games users have downloaded and installed to make it run code that compromised a target machine.

There is no evidence the loophole has yet been used by malicious hackers.

EA is investigating the vulnerability.

Launched in 2011, Origin acts as a distribution system, where customers can buy, download and manage EA video games as well as chat with friends about them.

But Donato Ferrante and Luigi Auriemma, from security company ReVuln, found a weakness in the way games were started via Origin.

Like many other programs, Origin uses a web-like syntax to keep track of the places games are found on a computer so they can quickly be started when people want to play.

The two researchers found a way to subvert this syntax to make it point to malicious code instead of a game.

"An attacker can craft a malicious internet link to execute malicious code remotely on victim's system, which has Origin installed," wrote the researchers in a paper detailing their work.

Attackers needed to know some identifying information about players to make good use of the vulnerability, wrote the pair.

However, they said, it was easy for attackers to get around this hurdle because Origin did not prevent repeated attempts to guess identifying information.

A demonstration of the attack was given at the Black Hat Europe conference, in which a Windows PC running Crysis 3 and Origin was taken over by the pair's attack code.

In a statement given to the Ars Technica website, EA said it was investigating hypothetical attacks such as the one found by Mr Ferrante and Mr Auriemma as part of the work it did to improve security on Origin.

Mr Ferrante and Mr Auriemma said players could protect themselves against potential attack by stopping Origin launching games via desktop shortcuts.

But this would mean games would have to be started directly from Origin.

23.58 | 0 komentar | Read More

Activists switch on net 'bat signal'

19 March 2013 Last updated at 08:37 ET

Activists have switched on an internet signalling system to help co-ordinate protests about a draft law in the US.

The Cyber Intelligence Sharing and Protection Act (Cispa) aims to aid investigation of web attacks.

But the activists say the law would erode privacy by exposing people's browsing habits and would be used to justify domestic surveillance.

The "bat signal" system tells followers to start displaying protest materials such as website banners and petitions.

Plans for the signalling system emerged in early 2012 following protests and website blackouts in opposition to two other draft laws in the US, the Stop Online Piracy Act and the Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act.

The web action was widely seen as influential in the campaign that saw both those laws shelved.

In a bid to harness the wave of activism those protests started, social news sites such as Reddit and Fark joined up with rights groups and many others to launch the Internet Defense League (IDL).

Rallying point

Instead of reacting on an incident-by-incident basis, the IDL monitors threats to online privacy and let supporters know when to ramp up protests.

The IDL also said it would create protest materials such as website banners, petitions and information about how to contact politicians, so people can voice their opposition in a co-ordinated manner.

In addition, some members have embedded code on the sites they control, so protest materials are shown automatically when the "bat signal" is activated.

Those behind the IDL want it to be a rallying point for action, just as the "bat signal" is used as a way to tell fictional superhero Batman he is needed.

The signal has been switched on as Cispa is debated in the US Senate for the second time.

Opposition to the law from US President Barack Obama's advisers, who said it lacked privacy safeguards, led to it being vetoed in late November 2011 on its first outing.

23.58 | 0 komentar | Read More

US hacker jailed over AT&T attack

19 March 2013 Last updated at 10:03 ET

A US 'hacktivist' who broke into telecommunication giant AT&T's network and stole contact details for 120,000 iPad owners has been sentenced to 41 months in jail.

Andrew Auernheimer, aka Weev, stole the email addresses by exploiting a bug in the way AT&T set up its network.

Auernheimer passed the addresses to a journalist claiming the hack was done to highlight security failings.

But officials said Auernheimer knew he was breaking the law with the attack.

'No harm'

In a statement, US attorney Paul Fishman said Auernheimer "concocted" the story that the attack was done to make the internet more secure only after he got into trouble for the 2010 hack.

"The jury didn't buy it, and neither did the court in imposing sentence upon him today," said Mr Fishman.

In the hack attack Auernheimer worked with co-defendant Daniel Spitler to explore a bug in AT&T's network settings. They discovered that AT&T servers responded with email addresses for iPad owners when passed identifying numbers from Sim cards in the tablets.

Spitler, who pleaded guilty in June 2011, wrote software to crank through lots of different ID numbers which netted the pair more than 120,000 email addresses. AT&T has closed this loophole.

The list of addresses was passed to several journalists to publicise what the pair had found.

Lawyers for the Electronic Frontier Foundation (EFF), which campaigns on digital rights, said the sentence was unjust.

"Weev is facing more than three years in prison because he pointed out that a company failed to protect its users' data, even though his actions didn't harm anyone," said Marcia Hofmann, an attorney at the EFF.

"The punishments for computer crimes are seriously off-kilter, and congress needs to fix them," she added. The EFF would help Mr Auernheimer prepare an appeal against the sentence, she said.

Spitler is currently awaiting sentencing.

23.58 | 0 komentar | Read More

Internet fears over press regulation

19 March 2013 Last updated at 13:57 ET

Concerns have been raised that bloggers may face stiff libel fines under rules imposed by a new press watchdog.

Political blogger Iain Dale said he would "certainly" be covered by the regulator and the Huffington Post's Carla Buzasi said the body's remit relating to the internet was unclear.

But the government says the criteria that determines whether a publisher is liable protects "a single blogger".

Meanwhile, some newspapers are seeking legal advice on whether to co-operate.

The publishers of the Daily Mail, the Sun, the Times, the Telegraph, the Daily Star and the Daily Express said they would wait to make a decision.

The new press watchdog is to be established in England and Wales by royal charter and backed by legislation.

The new regulatory regime will replace the current system, under which the press is self-regulated voluntarily through the Press Complaints Commission.

The deal follows Lord Justice Leveson's inquiry into press ethics - held in the wake of the phone-hacking scandal.

The inquiry examined the ethics and practices which allowed journalists to hack thousands of phones. It called for a new independent press watchdog, backed by legislation to ensure it was doing its job properly.

Continue reading the main story

There are not necessarily going to be newspapers in 10 years - the news brands will survive, but we are all bloggers now"

End Quote Harry Cole Guido Fawkes website

Party leaders said the new independent regulator - with powers to demand up-front apologies from UK publishers and impose £1m fines - would protect victims of press intrusion and preserve press freedom.

But the extent to which the new regulation applies to the internet is not yet clear.

Having read the royal charter, Mr Dale wrote: "I think my blog would certainly fall under the remit. And it stinks."

"If I don't sign up and I am successfully sued, a judge would award exemplary damages against me," he said, adding that he could not risk his family's financial future.

Three tests

"This is madness. All that will do is encourage people with a grudge to make a complaint in the full knowledge that they will never be held responsible for what they are doing," he said.

On Monday, Culture Secretary Maria Miller said that to be affected by the change, a "publisher would have to meet the three tests of whether the publication is publishing news-related material in the course of a business, whether their material is written by a range of authors - this would exclude a one-man band or a single blogger - and whether that material is subject to editorial control".

She said the new rules were designed to protect "small-scale bloggers" and to "ensure that the publishers of special interest, hobby and trade titles such as the Angling Times and the wine magazine Decanter are not caught in the regime".

Please turn on JavaScript. Media requires JavaScript to play.

Newsnight's David Grossman tries to make sense of how a new press regulation regime will apply to the internet

Guidance issued by the Department for Culture, Media and Sport (DCMS) said all three of these tests would have to apply.

But "online-only edited 'press-like' content providers" - such as the Huffington Post and Holy Moly Gossip - would be relevant publishers.

"Ultimately, it is a matter for the court to decide on the definition of a relevant publisher based on assessment of the facts, in accordance with the three interlocking tests - course of business, range of authors and editorial control," said a DCMS spokeswoman.

Mrs Buzasi, editor-in-chief of the Huffington Post UK, said she was "concerned" there was confusion over who was covered, adding that she felt the agreement had been "rushed".

And Harry Cole, who writes for the Guido Fawkes political blog, said the regulatory changes had been implemented in a "chaotic fashion".

"They don't understand that [the internet] is the future. There are not necessarily going to be newspapers in 10 years," he said.

Fraser Nelson, editor of The Spectator weekly news magazine, told the BBC's PM programme his publication would not be signing up to the new regulations.

He said politicians had "created a new club" and that "looking at the membership rules, it's not something The Spectator feels like joining up to".

He added that he hoped newspapers "will not go down this route" and instead devise an alternative system.

Earlier, a joint statement signed by Associated Newspapers, News International, the Telegraph Media group and Northern & Shell said no newspaper or magazine industry representative had been involved in the cross party talks on press regulation on Sunday and that they had only seen the royal charter on Monday.

'Crippling burden'

The Newspaper Society, representing local papers, said the proposals would place "a crippling burden on the UK's 1,100 local newspapers, inhibiting freedom of speech and the freedom to publish".

That was, in part, because of the "huge financial penalties for newspapers which choose to be outside the system and an arbitration service which would open the floodgates to compensation claimants", president Adrian Jeakings said.

Judges could award punitive damages against publications which refuse to sign up to a new watchdog, in the event of a court case if a complaint could have been resolved through arbitration.

Prime Minister David Cameron said he was convinced the system would work and endure: "I am confident that we've set up a system that is practical, that is workable, that protects the freedom of the press and it's a good strong self-regulatory system for victims."

He said a new system would ensure:

• upfront apologies from the press to victims
• fines of 1% of turnover for publishers, up to £1m
• a self-regulatory body with independent appointments and funding
• a robust standards code
• a free arbitration service for victims
• a speedy complaints system

23.58 | 0 komentar | Read More

Blood-test device 'goes under skin'

19 March 2013 Last updated at 21:49 ET By Michelle Roberts Health editor, BBC News online

Scientists say they have developed a tiny blood-testing device that sits under the skin and gives instant results via a mobile phone.

The Swiss team say the wireless prototype - half an inch (14mm) long - can simultaneously check for up to five different substances in the blood.

The data is sent to the doctor using radiowaves and Bluetooth technology.

The device's developers hope it will be available to patients within four years.

It is designed to be inserted, using a needle, into the interstitial tissue just beneath the skin of the abdomen, legs or arms. And it could remain there for months before needing to be replaced or removed.

Micro-monitoring

Other researchers have been working on similar implantable monitoring devices, but Prof Giovanni de Micheli and lead scientist Sandro Carrara say their under-the-skin test is unique because it can measure many different markers at the same time.

They say it will be particularly useful for monitoring chronic conditions such as high cholesterol and diabetes as well as tracking the impact of drug treatments such as chemotherapy.

Prof De Micheli, of Ecole Polytechnique Federale de Lausanne, said: "It will allow direct and continuous monitoring based on a patient's individual tolerance, and not on age and weight charts or weekly blood tests."

So far, the researchers have tested their device in the lab and on animals and say it can reliably detect both cholesterol and glucose in blood as well as some other common substances doctors look for.

They hope to begin testing the device on intensive care patients - patients who require a great deal of close monitoring, including repeated blood tests.

The research results will be published and presented at the Design, Automation, and Test in Europe (Date) electronics conference.

23.58 | 0 komentar | Read More

South Korea network attack 'a virus'

20 March 2013 Last updated at 06:40 ET

Disruption that paralysed the computer networks of broadcasters and banks in South Korea appears to have been caused by a virus, an official close to the investigation has told the BBC.

The official said it was believed a "malicious" code was to blame for the system failure.

He said investigators were trying to identify and analyse the virus.

Last week, North Korea accused the US and its allies of attacks on its internet servers.

In the latest incident, two South Korean banks, Shinhan Bank and Nonghyup, and three TV stations KBS, MBS and YTN, all reported that their networks had suddenly shut down on Wednesday afternoon.

The BBC's Lucy Williamson in Seoul says that, for one of the world's most networked populations, South Korea has had more than its share of cyber attacks.

North Korea has been blamed for several breaches over the past few years, she says.

Initially, South Korea's Communications Commission suspected a cyber-attack. However, the BBC was later told that experts had concluded it was not a denial-of-service attack, of the kind South Korea has experienced in the past.

'Skulls' on screens

Staff at the three broadcasters said their computers crashed and could not be restarted, with screens simply displaying an error message, although they have continued to make television broadcasts, our correspondent said.

There were also reports of skulls popping up on some computer screens, which could indicate that hackers had installed malicious code in the networks, the Korean Internet Security Agency said.

Some services at Shinhan bank, including internet banking and ATM machines, were also affected, although operations now appear to have been restored.

In the immediate aftermath of the incident, South Korean internet service provider LG Uplus said it believed its network had been hacked, Reuters news agency reported.

An official from the presidential office told Yonhap news agency it was not yet known whether North Korea was involved.

"We do not rule out the possibility of North Korea being involved, but it's premature to say so," Defence Ministry spokesman Kim Min-seok said.

Surveillance upgrade

No government-related computer networks had been affected, an official from the National Computing and Information Agency (NCIA) told the agency.

The military has upgraded its information surveillance status by one level, Yonhap said.

North Korea is believed to have been behind two major cyber attacks on the South, in 2009 and 2011, that targeted government agencies and financial firms.

Nonghyup bank was one of the victims of the 2011 attack, which left its customers unable to access or transfer their cash for three days.

North Korea has stepped up rhetoric in recent days in response to fresh UN sanctions over its nuclear test in February and joint annual military drills between the US and South Korea, which it bitterly opposes.

On 15 March, North Korea's KCNA news agency accused the US and its allies of "intensive and persistent" hacking attacks on its networks.

Official sites such as KCNA, Air Koryo and Rodong Sinmun, the party newspaper, were reportedly inaccessible for short periods.

23.58 | 0 komentar | Read More

Apple 'losing inspiring reputation'

20 March 2013 Last updated at 06:52 ET

Technology giant Apple is perceived as less "inspiring" than it was three years ago, a brand survey suggests.

The findings will heighten concerns among shareholders who have seen about $230bn wiped off Apple's stock market value since September 2012.

Smartphone rival Samsung is now seen as equally "inspiring" in the US, says the survey by consultancy Added Value.

Analysts fear Apple may have lost its way since its visionary co-founder, Steve Jobs, died in October 2011.

While Apple's brand still scores more highly overall, Samsung's is more consistently appreciated across the world, particularly in East Asia, says Added Value, part of Sir Martin Sorrell's WPP group.

Apple's reputation for market-leading innovation took a knock after the iPhone 5 was seen as an iteration of an earlier design rather than a characteristic step-change.

According to research by Gartner, Samsung and Apple now account for 52% of the global smartphone market, but in the final quarter of 2012, Samsung sold 64.5 million smartphones to Apple's 43.5 million.

Similarly, Apple's iPad Mini was a response to rival, smaller tablet computers already on the market, adding to the impression Apple was following, not leading.

Patent battles

In September 2012, Apple's share price topped $700 - a record for the company - giving the tech company a market capitalisation of more than $655bn.

But since then, the price has tumbled, wiping about $230bn off the company's value.

Since 2011, Apple and Samsung have been slugging it out across the world's courts in a series of distracting patent battles.

Apple first sued Samsung in the US for alleged intellectual property infringements. Other court cases have taken place in France, Germany, the UK, the Netherlands, Italy, South Korea and Japan, with no company yet emerging as the clear winner.

Apple may be sitting on a $137bn cash mountain, but unless it can recapture its role as an "inspiring" technology leader and settle its legal battles, the perception may grow that its best days are behind it, analysts believe.

'Bold and exciting'

In its Cultural Traction 2013 report, Added Value analysed the "cultural vibrancy" of 160 brands across 15 sectors, involving more than 62,000 respondents in 10 countries.

The top 10 brands perceived to be the most "visionary, inspiring, bold and exciting" were Google, Apple, Samsung, Ikea, Microsoft, Sony, BMW, Audi, Coca-Cola and eBay.

23.58 | 0 komentar | Read More

Fake ad botnet 'stealing millions'

20 March 2013 Last updated at 08:24 ET

A network of thousands of computers stealing millions of dollars from advertisers by generating fake advert viewings has been discovered.

British web analytics firm Spider.io claims the "Chameleon" botnet is made up of 120,000 home PCs and costs advertisers $6m (£3.9m) per month.

Spider.io said that Chameleon simulated clicks on adverts on over 200 sites.

The firm said the botnet was responsible for up to nine billion false ad views every month.

Websites that show display ad receive money when an ad is viewed, in what is called cost-per-impression advertising. It works by money being paid when an ad impression is viewed, and advertisers selling a product or a service pay the website owner a fixed amount each time their ad is viewed.

The ads are typically placed by advertising networks that act as middlemen - the network places the ad on the publisher's site and the advertiser pays the network and the publisher.

Specific behaviour

Advertisers use clicks and mouse movements over ads as leading indicators of visitor intent - meaning that the users being shown ads are more likely to buy a product or sign up to a new service.

So if a malicious programme generates clicks or mouse traces, then advertisers will be encouraged to buy more ad space.

Spider.io said that about 95% of the hijacked machines were in the US.

"This particular botnet is being used to emulate human users surfing the web, mimicking normal browsing sessions and normal ad engagement," said the firm's chief executive Douglas de Jager.

"It is difficult to imagine why one would run this type of botnet across a cluster of 202 sites other than to commit display advertising fraud.

Continue reading the main story

Advertising networks - not the advertisers themselves - need to work harder at identifying the difference between a genuine user clicking on an ad, and a compromise computer that has been turned into a click-fraud bot"

End Quote Graham Cluley Sophos

"Unfortunately, we can't be sure precisely which of the financially motivated parties is behind this. It could perhaps even be a single person within one of the companies, unbeknownst to others at this company."

He added that the company was able to spot the botnet thanks to a very specific behaviour of the infected computers.

"The bots subject host machines to heavy load, and the bots appear to crash and restart regularly," he said.

"When a bot crashes the concurrent sessions end abruptly; upon restart the bot requests a new set of cookies. These crashes and idiosyncratic site-traversal patterns are just two of the many bot features that provide for a distinctive bot signature."

Mimicking humans

Graham Cluley, a computer security expert from net security company Sophos, told the BBC that there were ways for computer owners to protect their machines from this type of fraud - for instance, by using up-to-date anti-virus software.

"The good news is that Chameleon is said to be quite unstable, and causes regular crashes and computer slowdown - something which might alert users to there being a problem with their PC."

He added that since Chameleon mimics human clicks, it is tricky for advertisers to easily spot the botnet.

"It makes the click look more human by randomly moving the cursor and the place where the mouse clicks, and pretending to be Internet Explorer 9.0 running on Windows 7.

"Advertising networks - not the advertisers themselves - need to work harder at identifying the difference between a genuine user clicking on an ad, and a compromise computer that has been turned into a click-fraud bot.

"That's not necessarily an easy challenge to overcome."

23.58 | 0 komentar | Read More

MIT to release Swartz-related papers

20 March 2013 Last updated at 09:15 ET

The Massachusetts Institute of Technology (MIT) has announced it will release documents related to the prosecution of internet activist Aaron Swartz, who killed himself in January.

He was accused of illegally downloading academic documents using MIT networks.

MIT president L Rafael Reif said in an email that university employees' names would be blacked out for their safety.

Lawyers for Mr Swartz's estate filed a motion in a US federal court last week, requesting the documents' release.

The documents will be released at the same time as the findings of an internal inquiry into the university's role in the case, led by computer science professor Hal Abelson.

Mr Reif wrote: "In the time since Aaron Swartz's suicide, we have seen a pattern of harassment and personal threats," .

"In this volatile atmosphere, I have the responsibility to protect the privacy and safety of those members of our community who have become involved in this matter in the course of doing their jobs for MIT, and to ensure a safe environment for all of us who call MIT home."

According to MIT, more than 70GB of data were downloaded from JStor, a subscription service for academic journals.

If convicted, Mr Swartz, 26, could have faced up to 35 years in prison and a fine of more than $1m (£630,000).

Mr Swartz's family says the actions of both MIT and the Massachusetts US Attorney's office contributed to his death.

"Aaron's death is not simply a personal tragedy. It is the product of a criminal justice system rife with intimidation and prosecutorial overreach," they said in an earlier statement.

23.58 | 0 komentar | Read More

Music sales 'unaffected by piracy'

20 March 2013 Last updated at 12:06 ET

A report published by the European Commission Joint Research Committee claims that music web piracy does not harm legitimate sales.

The Institute for Prospective Technological Studies examined the online habits of 16,000 Europeans.

They also found that freely streamed music provided a small boost to sales figures.

The International Federation of the Phonographic Industry (IFPI) said the research was "flawed and misleading".

"It seems that the majority of the music that is consumed illegally by the individuals in our sample would not have been purchased if illegal downloading websites were not available to them," wrote the researchers in their report, Digital Music Consumption on the Internet: Evidence from Clickstream Data.

"Although there is trespassing of private property rights (copyrights), there is unlikely to be much harm done on digital music revenues," they added.

The team analysed data over the course of one year.

They also found that music streaming services such as Spotify and Pandora gave a small boost to music sales.

"According to our results, a 10% increase in clicks on legal streaming websites lead to up to a 0.7% increase in clicks on legal digital purchases websites," claimed the report.

However the international music industry body the IFPI was highly critical of the research.

"The findings seem disconnected from commercial reality," it said in a statement.

"If a large proportion of illegal downloaders do not buy any music (and yet consume, in some cases, large amounts of it), it cannot be logical that illegal behaviour stimulates legal download sales and inflicts no harm."

23.58 | 0 komentar | Read More