Police officer arrested in News Corp hacking investigation
Aug. 22, 2011
A police investigator working on Scotland Yard's inquiry into alleged phone-hacking at the now-defunct Sunday tabloid the News of the World was arrested by senior officers from the anti-corruption unit of London's Metropolitan police late last week.
The police said that on Thursday, August 18 they arrested a serving MPS officer from Operation Weeting on suspicion of misconduct in a public office relating to unauthorized disclosure of information as a result of a proactive operation.
They didn't release the name of the officer, who was described as a 51-year-old male detective constable, and Scotland Yard only confirmed he had been arrested after releasing the man on bail until September 29, pending further investigation.
As is customary in such incidents, the officer was suspended from his job the next day. "I made it very clear when I took on this investigation the need for operational and information security. It is hugely disappointing that this may not have been adhered to," said Deputy Assistant Commissioner Sue Akers, who is in charge of Operation Weeting.
"The MPS takes the unauthorized disclosure of information extremely seriously and has acted rapidly in making this arrest," she added.
Meanwhile, a thirty-five-year-old man was also released the next day, after being in police custody on suspicion of conspiring to unlawfully intercept voicemails.
He was bailed to return at a yet-to-be-determined date in October. Reports suggest that former NotW features writer Dan Evans was the man arrested then bailed by police on Friday.
James Desborough, who joined the Sunday tabloid as a reporter in 2005 before being promoted to Hollywood editor in 2009, was also arrested last Thursday as part of the Operation Weeting probe.
In other internet security news
On August 15, and after reporting on Anonymous' hacking of BART's Web site and after the leak of user information from mybart.org, some in the Internet security community started receiving messages on Twitter and elsewhere from sources purporting to be tied to Anonymous.
They were all critical of the leak of personal info from mybart.org, pointing to dissent on Twitter and Anonymous IRC channels. "Just wanted you to know not all of Anon approves!" read one of the messages. Then today, it seems to have all become too much for one former Anonymous hacker.
Until now, he's gone by the handle "SparkyBlaze" and now he officially resigned as a Manchester, U.K., resident named Matthew who has had enough of what he calls a lot of nonsense from a group that claims to do good and no evil.
He goes on to say that "higher-up" Anons have thrown other members of the collective "to the lions," claiming that Anonymous' campaigns and leadership have been ineffective and prey on "kids" to do their dirty work and risk arrest.
Some inside the internet security community contacted SparkyBlaze and asked if the BART operation was the last straw for him. He says "That was one factor, mainly it was because I was just fed up with anon putting people's data on-line and then claiming to be the big heroes."
SparkyBlaze adds that he did find it hypocritical that Anonymous claimed to be fighting for BART users by putting their data online.
With regard to his own involvement with Anonymous, SparkyBlaze says he supported a number of operations, "and some un-ethical ones that I am not proud of but, I never exposed people's data-- and of that, I can be proud of. I want to be clear on that."
He says he was proud to be involved in attacks on sites run by Iran's government, but not so proud to have been involved in the Sony attacks a few months ago.
"If I get arrested with this I will have to deal with it. I don't care about what anon do now and I just want to say that not all anon's are bad-- just a few. Some do want change. They are just going about it in the wrong way," said SparkyBlaze.
SparkyBlaze's defection from Anonymous has made at least minor waves within the organization. A post by Commander X, purported to have led a number of recent hacks, including last week's BART operation, suggests SparkyBlaze should be considered persona non grata:
SparkyBlaze says that that posting was in response to his calling Commander X an "idiot for exposing people's data and supporting it" coupled with his Pastebin.
In other internet security news
Internet security researchers have discovered a method to break the Advanced Encryption Standard (AES) used to protect everything from top-secret government documents, confidential medical files, social insurance numbers, credit cards and online banking transactions.
The method, which was published in a paper presented Aug. 17 as part of the Crypto 2011 Conference in Santa Barbara, allows potential hackers to recover AES secret keys up to five times faster than previously possible.
This represents a major security issue to many organizations. The method introduces a technique known as 'biclique cryptanalysis' to delete just two bits of data from 128, 192 and 256-bit security encryption keys.
“This research is groundbreaking because it is the first technique discovered of actually breaking single-key AES that is slightly faster than brute force,” said Nate Lawson, a cryptographer and the principal security consultant at Root Labs. “But I must also tell you that it doesn't compromise AES in any practical way.”
Lawson also added that it would still take "trillions of years" to recover strong AES keys using the biclique technique, which is a variant of what's known as a meet-in-the-middle cryptographic attack. This method works both from the inputs and outputs of AES towards the middle, reusing partial computation results to speed up the brute-force key search.
The technique is designed to cut down on the time an attacker needs to fully recover the key.
Lawson added "This technique is a divide-and-conquer attack. To find an unknown key, they partition all the possible keys into a set of groups. This is possible because AES subkeys only have small differences between round numbers. They can then perform a smaller search for the full key since they can reuse partial bits of the key in later phases of the computation."
It's impressive work but there's still no better cipher to use than AES for now. And AES still remains the preferred cryptographic scheme of the U.S. government and a few others. The National Institute of Standards and Technology commissioned AES ten years ago as a replacement for the DES, or Digital Encryption Standard, which wasn't as secure and became obsolete.
The research is the work of Andrey Bogdanov of Katholieke Universiteit in Leuven; Microsoft Research's Dmitry Khovratovich; and Christian Rechberger of Ecole Normale Superieure in Paris.
Both Bogdanov and Rechberger took leave from their positions to work on the project for Microsoft Research that started in October 2010.
In other internet security news
Internet security specialists have developed an Android user application that logs various keystrokes using a smartphone's sensors to measure the locations a user taps on the touch screen. TouchLogger, as their demo app is called, allowed its creators at the University of California to demonstrate a security hole in most smartphones and tablets that has largely gone unnoticed up until today.
While most of these devices lack physical keyboards that have long been known to leak user input, they nonetheless remain very susceptible to outside monitoring through similar side-channel attacks, and that represents a big security risk, according to the researchers.
Whereas eavesdroppers measure sound and electromagnetic radiation to capture input from traditional keyboards, they can also monitor the motion of the mobile device to achieve much the same result from a touch screen-- something that was never given any thought until this latest discovery.
“Motion sensors, such as accelerometers and gyroscopes, may also be used to infer keystrokes as well,” the researchers wrote in a paper presented last week at the HotSec 2011 workshop in San Francisco.
“When the user types on the soft keyboard on a smartphone (especially if the user holds the phone by hand rather than placing it on a fixed surface), the phone vibrates. We discovered that keystroke vibration on touch screens are highly correlated to the keys being typed,” the researcher wrote.
And applications like TouchLogger and others that are similar could be significant since they bypass protections built into both the Android OS and Apple's competing iOS that prevent a program from reading keystrokes unless it's active and receives focus from the screen.
It was designed to work on an HTC Evo 4G smartphone. It had an accuracy rate of more than 70 percent of the input typed into the number-only soft keyboard of the device. The app worked by using the phone's accelerometer to guess estimate the motion of the device each time a soft key was pressed.
With just a few minor adjustments, the security researchers also believe that they can expand the effectiveness of TouchLogger, as well as the devices it will work on-- creating major security concerns for users in the enterprise segment. So far, no significant amount of testing has been done on RIM's BlackBerry system, but it's only a question of time until the researchers begin.
“The tablet has a larger screen, so hopefully we can get a higher accuracy rate on a Qwerty keyboard,” said Liang Cai, a graduate student in U.C. Davis's computer science department who collaborated with his advisor Hao Chen. “We didn't really try it on a large scale of devices, but we will soon.”
Besides targeting devices with larger touch screens, the researchers added that TouchLogger could also be improved by using other sensors built into the targeted device. Prime candidates include gyroscopes to measure the rate of rotation and a camera to further detect motion.
But for now, all they are hoping is to get the word out that the motion detected by a smart device's own sensors could expose highly valuable information, including passwords, social security numbers and credit card information.
“We hope to raise the awareness of motion as a significant side channel that may leak confidential data,” they wrote.
Source: Scotland Yard.
You can link to the Internet Security web site as much as you like.