Monday, October 05, 2015
Experian bills itself as “the UK’s most trusted credit monitoring service” but, in the light of the data breach that has compromised the records of some 15 million T-Mobile (US) customers it might have to reconsider that description the other side of the pond. The as yet unknown hacker, or hackers, managed to acquire the records of customers and applicants requiring a credit card check (successful or not) for service or device financing between the 1st of September 2013 and September 16th 2015. Just for the record, yes you did read that right. To pour a little more accelerant into the flames, the breach was not revealed to customers until 1st October. Which makes another Experian strapline, this time from the Experian Data Breach Response Service service, seem equally irrelevant: “Respond, reassure and recover quickly in the event of a data breach.” Yeah right… T-Mobile CEO, John Legere, is pretty angry and says the stolen data includes customer name, address and birth date as well as encrypted fields with Social Security number and ID number (which might be a driver’s license or passport), as well as additional information used in T-Mobile’s own credit assessment.“Experian has determined that this encryption may have been compromised” Legere admits, going on to state that “I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian” as well as the usual stuff about assisting customers and taking security seriously of course. Legere also took the opportunity to assure customers that “neither T-Mobile’s systems nor network were part of this intrusion”. So that’s OK then! Is Experian really so self-important that it thinks people should trust it when it comes to mopping up this mess? Less OK, for many observers, is the fact that while that relationship review is made, T-Mobile has gone ahead and told customers impacted by the breach it can have a couple of years free credit monitoring and identity resolution service from, are you sitting down, the very company that allowed their data to be compromised in the first place.
Friday, October 02, 2015
A Jeep taken over from 10 miles away via in-car entertainment system in the summer and just this week news breaking of critical medical devices that are being 'owned' by botnet operators. Vulnerabilities in your web browser are one thing, but when they are in your car or an MRI scanner then the potential impact takes on a different hue. As, indeed, does the small matter of how the security researchers who most often uncover the coding flaws disclose them. New research from AlienVault reveals that 64 percent of security professionals think that when security researchers get no response from vendors when it comes to disclosing a vulnerability with 'life-threatening implications' then the vulnerability should be made public. Some 19 percent of the 650 IT security pros questioned at Black Hat in Las Vegas earlier in the year went as far as to say the vulnerability should be fully disclosed to the media. This is in stark contrast to the traditional process of responsible disclosure whereby all stakeholders agree to a set period for a fix to be produced before any such publication. SCMagazineUK wondered what industry insiders thought, so we asked them...
Tuesday, September 29, 2015
Monday, September 28, 2015
China president Xi Jinping agreed a truce on cybercrime with US President Barack Obama last week, a little different to the talk leading up to the event of a 'cyberwar accord' between the world's two most powerful nations. There is more chance of Donald Trump saying something that isn't offensive or ignorant than there is of a cyber-peace treaty stopping anything remotely cyber-warfare related in times of war, which is probably why the two political and economic giants didn't go there. Instead, they travelled down a similar but different road: the two agreed that 'cyber economic crime' must stop. While both countries adopt a ludicrous position of 'I didn't do it' when it comes to launching any kind of cyber attacks against the other, be that industrial espionage or more traditional information spying raids, both also say the other must stop or there will be sanctions. Obama spoke of a common understanding between the US and China that neither country would "conduct or knowingly support cyber-enabled theft of intellectual property", after warning that Chinese cyber attacks are not acceptable, and Xi Jinping happily agreed that "confrontation and friction are not the right choice for both sides" and insisted both countries would abide by "norms of behaviour." To which my response is a big fat SO WHAT?
You might not know it, but machine learning already plays a part in your everyday life. When you speak to your phone (via Cortana, Siri or Google Now) and it fetches information, or you type in the Google search box and it predicts what you are looking for before you finish, you are doing something that has only been made possible by machine learning. However, this is just the beginning: with companies such as Google, Microsoft and Facebook spending millions on research into advanced neural networks and deep machine learning, computers are set to get smarter still. But deep learning isn't about self-aware machines taking over the world. This is a story about how ingenious algorithms and code are giving computers the ability to do things we never previously thought possible.
Friday, September 25, 2015
It has not been a good week for lovers of apps, which is pretty much anyone with a smartphone. Both Android and iOS apps have been infected with malware, apps that were available through the official app stores rather than illicit third parties. Millions of users are at risk from the resulting malware infections, despite the Google 'Play Store' Bouncer and Apple's iOS 'Walled Garden' which were meant to prevent such breaches. So what went wrong, and how can it be prevented from happening again?
Thursday, September 24, 2015
There’s no point being an Internet of Things denier, it’s too late for that. It’s not too late, however, to start accepting that security could be a lot better. Which is where the launch of the Internet of Things Security Foundation comes in. There’s no ignoring the Internet of Things (IoT), you only have to look at the numbers to understand why: Intel reckons 200 billion objects (or 26 smart objects for every human being on Earth) will be part of the IoT by 2020, and Siemens reports that this will equate economically to earnings of up to US $8.9 trillion by the same year. It should come as no surprise, then, that everyone is talking about the IoT; including IT Security Thing Managing Director, Ian Robson, with his ‘Internet of Good Things’ organisation that is creating a community of like-minded IoT thinkers and do’ers. While I wouldn’t go as far as flipping Ian’s naming protocol a complete 360 and referring to it as an ‘Internet of Evil Things’ there are certainly things to worry about as well as celebrate. Not least the fact that many IoT devices have already proven themselves to be vulnerable to attack by those who would exploit them: from hacking into baby monitors through to hijacking smart toilets and router backdoors to name but a few.
What if you could just walk up to an ATM machine and rob the bank right there? What if you also used two factor authentication to stop other robbers doing the same? That’s what Proofpoint researchers have discovered is happening with GreenDispenser ATM malware. Proofpoint researchers have published details of a new ATM malware campaign that they have called GreenDispenser. This works in much the same way, in that it requires physical access to install and enables a thief to walk up, type in, and walk away with cash. Lots of cash. GreenDispenser infected machines will display an out of service message, but the attacker can bypass this by entering the right codes. Even better for the thief, and a lot worse for the machine provider, the whole process can be wiped using a ‘deep delete’ system that leaves little in the way for investigators to trace back. Currently the attacks appear to be limited mainly to Mexico, although India is implicated as well, and appears to be able to target hardware from multiple vendors as long as they use the XFS standard adopted by large numbers of them.
Monday, September 21, 2015
Firefox, the browser client not the crappy Clint Eastwood movie, is built upon a background of open collaboration. Mozilla, which describes itself as “a global community of technologists, thinkers and builders working together to keep the Internet alive and accessible, so people worldwide can be informed contributors and creators of the Web”, is the organisation behind Firefox. According to Mozilla, around 40 per cent of the Firefox codebase is written by volunteers. According to Richard Barnes, the Firefox security lead at Mozilla, the Bugzilla bug tracker is “a major part of how we accomplish our mission of openness” and while much of the Bugzilla information is in the public domain “Bugzilla restricts access to security-sensitive information so that only certain privileged users can access it.” At the start of September, Mozilla revealed that not only had Bugzilla been breached but the security-sensitive information stolen was used to attack Firefox users. It seems that a Bugzilla account was compromised and a particular vulnerability being discussed was exploited. Although Richard Barnes states that the account was closed down “shortly after Mozilla discovered that it had been compromised” there is no indication of how long it had been actively compromised. However, the version of Firefox released on 27th August is said to have fixed all of the vulnerabilities that could have been exploited using the information gleaned by the attacker. Mozilla immediately took steps to reduce the risk of future attacks on Bugzilla, the first being the forced introduction of two-factor authentication along with a password change for all users with access to security-sensitive data. On top of that, Mozilla announced that it would be reducing the number of privileged access users and reducing what they can actually do. In the words of Richard Barnes “we are making it harder for an attacker to break in, providing fewer opportunities to break in, and reducing the amount of information an attacker can get by breaking in.” Which is where Netanel Rubin, senior vulnerability researcher at PerimeterX, came in asking the question whether Bugzilla was actually as secure as it should be. To cut a long story short, it wasn’t. Are you sitting comfortably? Good, then the long story can begin.
Thursday, September 17, 2015
Just a few weeks ago, the CoreBot Trojan was happily causing mischief as a login credential stealer. Now it has turned into a fully fledged bank robber instead. As malware goes modular and starts morphing, SCMagazineUK.com investigates the threat... Back at the start of the month, SCMagazine.com was warning that IBM had discovered CoreBot used a modular design that gave it the ability to be quickly altered and potentially made all the more dangerous. That prediction has borne fruit, and the malware has morphed from a pretty generic (modular design apart) and boring credential swiper into a multi-faceted bank robbing weapon. It's already targeting banks and other financial institutions across the US and UK, and the speed at which it has changed tack would suggest that there was a parallel development process going on from the get go. CoreBot could be the start of something big, something rather nasty.