UK InfoSec Review for January 2013

Microsoft release an Emergency “Critical” patch for Internet Explorer V6, 7 & 8 

• Patches released this patch out-of-band on 14th January 2013 
• Patch remediates a public disclosed remote code execution vulnerability in IE 

Microsoft release 2 ‘Critical’ and 5 ‘Important’ Security Patches

• Patches released as part of the ‘Patch Tuesday’ cycle on 8th January 2013 
• Patches address vulnerabilities in Windows, Office, Developer Tools, .NET Framework and server 

Abode release patches for fix 27 vulnerabilities in Adobe Reader, Acrobat & Flash

• Patches released as part of ‘Patch Tuesday’ cycle on 8th January 2013 

Hackers Used Data Centres to Supercharge Attacks

• Researchers at Radware who investigated the attacks for several banks found that the traffic was coming from data centres around the world. They discovered that various cloud services and public Web hosting services had been infected with a particularly sophisticated form of malware, called Itsoknoproblembro, that was designed to evade detection by antivirus programs. The malware has existed for years, but the banking attacks were the first time it used data centres to attack external victims 

Anonymous PayPal attackers jailed in the UK

• Two purported members of the Anonymous online collective were sentenced on in London to prison time for launching distributed denial-of-service attacks against PayPal. 

Hacktivists forecast continued DDoS campaign against banks

• Distributed denial-of-service (DDoS) attacks against several U.S. bank sites was launched after offensive anti-Muslim video appeared on YouTube 
• On 29th January Hacktivists suspended their bank DDoS campaign 
• Hackitivists continue to organise and launch DDoS and data theft attacks on businesses around the world. Hackitivist attacks against businesses can materialise extremely quickly, DDoS attacks typically prove successful as most business do not have adequately DDoS defences built into their web facing IT infrastructure. 
• In this DDoS example the banks have nothing to do with the YouTube posted offensive video, but were targeted to make a political point 

UK Data Protection Review for January 2013

ICO fines Sony £250,000 after millions of UK gamers personal details are compromised

• Sony PlayStation Network Platform made international headlines when it was hacked in April 2011, compromising the personal information of millions of UK customers, including their names, addresses, email addresses, dates of birth and account passwords. Customers’ payment card details were also at risk. 
• An ICO investigation found that the attack could have been prevented if the software had been up-to-date, while technical developments also meant passwords were not secure 

• ICO commented 
• “If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority” 
• “There’s no disguising that this is a business that should have known better” 
• “The penalty issued clearly substantial, but we make no apologies for that. It directly affected a huge number of consumers, and at the very least put them at risk of identity theft.”

UK Data Protection Review for December 2012

Leeds City Council has been fined £95,000 by the ICO watchdog after it sent highly confidential and sensitive personal data about a child in care to the wrong person.

Devon County Council had been fined £90,000 by the ICO after a social worker who had been preparing an "adopting panel report" sent out an alternative file they had been using as a template to the wrong family.

Lewisham Council fined £70,000 by ICO after sensitive personal information was left on a train

A bank employee has been fined after a court heard she unlawfully accessed bank statements of her partner’s ex-wife.

UK InfoSec Review for December 2012

Microsoft release 6 critical patches on 11th December 2012

Patches address vulnerabilities in Windows, Word, Windows Server and Internet Explorer. The other two patches are rated as important and will address issues in Windows.

UK InfoSec Review for November 2012

Vital Microsoft (4 critical) and Adobe (7 critical flash) Security patches released this month.

• Adobe have joined Microsoft in with releasing patches on Microsoft’s Patch Tuesdays, such is the regularity of new vulnerabilities that are found in their applications.

Fraudulent Westminster Council parking charge emails sent

• At least 800 fraudulent emails have been sent telling people they owe Westminster Council money for parking.
• Westminster's contractor, PayByPhone, said it had been the victim of a phishing scam. 
• The council said it had received complaints from 800 people saying they had received fraudulent emails. However, it could not provide an estimate for the number of emails that had been sent out. 
• Spam Emails are becoming more sophisticated and believable to end consumers, with attacks become more targeted against organisations, and personalised using stolen information. It is worth noting consumers and media can place blame at organisations for such attacks, as in this case.

Police arrest man over Home Office Distributed Denial of Service Attacks

• Police have arrested a 41-year-old man in connection with distributed denial-of-service attacks against the websites of the Home Office and home secretary Theresa May.
•  The Anonymous hacktivist group claimed to have launched a series of distributed denial-of-service (DDoS) attacks against the Home Office and Theresa May in April this year.

Sophos multiple critical flaws flagged by researcher

• Google researcher said that security professionals should "exclude Sophos products from consideration for high value networks and assets" and "A sophisticated state-sponsored or highly motivated attacker could devastate the entire Sophos user base with ease."

UK Police net suspected phishing gang

• UK police have arrested three men suspected of being involved in thousands of phishing attacks on banking customers.
• One Nigerian and two Romanian men were arrested at a central London hotel on conspiracy to defraud and money laundering charges.
• The three men were allegedly involved in an operation that placed over 2,000 phishing pages on the internet

For Sale: Cheap access to corporate computers

• Cyber-criminals are openly selling illegal access to the computer networks of many of the world's biggest companies.
• One website called Dedicatexpress offers 17,000 server, with about 300,000 servers listed since the site started in 2010
• List includes UK company servers for sale

Hotel burglars suspected of exploiting swipe card lock security bug

• Burglars seem to be exploiting a bug in widely used electronic key card door locks to steal from hotels.
• Insurance firms said they expected to be "hit hard" as knowledge of the hack spread among professional thieves. 
• UK swipe card systems are said to be also threaten by this and other similar vulnerabilities

Gartner warning on cloud security: Outages are bigger risk than breaches

• Gartner analyst says the biggest concern should not be that data could be compromised in the cloud, but rather that there may be a cloud outage that could lead to data loss. 
• Amazon Web Services, the market-leading cloud provider, has experienced three major outages in the past two years. After an April 2011 Elastic Compute Cloud (EC2) outage, some level of data was irrecoverable.

Lockheed Martin admits to growth in number of attacks on its networks

• Defence contractor Lockheed Martin has reported a ‘dramatic growth' in the number and sophistication of cyber attacks on its networks. 
• The attacks are ‘international' and attackers were clearly targeting Lockheed suppliers to gain access to information since the company had fortified its own networks. 
• RSA said 20 per cent of the threats were considered to be advanced persistent threats (APT) and had increased dramatically over the last few years. 
• Sophisticated cyber attacks are on the rise and present an increasing and persistent risk across UK plc. UK businesses must not be complacent about cyber attacks, as it is often said all FTSE 100 companies are primary targets by nation states and are actively being attacked, whether the companies realise these attacks are occurring, is another issue (monitoring).

Experts warn of Adobe Reader X & XI zero-day vulnerability

• A zero-day flaw that can be used as a vector to bypass sandboxing in Adobe Reader X and XI has been circulating on cyber crime forums, according to Russian forensics company Group-IB. 
• Adobe introduced 'Adobe Protected Mode' sandboxing in October as part of an effort to improve Adobe Reader security. 
• The flaw is advertised for sale for between $30,000 and $50,000, and is being included in versions of the Blackhole exploit kit 
• The Blackhole exploit kit is often used to distribute banking Trojans such as Zeus, Spy Eye, Carberp and Citadel.
• This vulnerability is yet to be patched

Kaspersky publish Top Ten Vulnerabilities List

• The Security Patching of non-Microsoft applications such as Adobe Reader and Oracle Java on all Desktop and Laptops are a key area to validate within business Patch Management processes.
• UK companies tend to patch Microsoft products pretty well but neglect other common desktop applications by Adobe and Oracle, which are rife with serious vulnerabilities if left unpatched.

1.    Oracle Java Multiple Vulnerabilities: DoS-attack (Gain access to a system and execute arbitrary code with local user privileges) and Cross-Site Scripting (Gain access to sensitive data). Highly Critical.

2.    Oracle Java Three Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Extremely Critical.

3.    Adobe Flash Player Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Gain access to sensitive data. Highly Critical.

4.    Adobe Flash Player Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Bypass security systems. Highly Critical.

5.    Adobe Reader/Acrobat Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Extremely Critical.

6.    Apple QuickTime Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Highly Critical.

7.    Apple iTunes Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Highly Critical.

8.    Winamp AVI / IT File Processing Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Highly Critical.

9.    Adobe Shockwave Player Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Highly Critical.

10.  Adobe Flash Player Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Bypass security systems. Gain access to sensitive data. Extremely Critical.

XSS remains the most frequently attacked website flaw according to FireHost

• The third quarter of 2012 showed another increase in attacks against cross-site scripting (XSS) flaws on websites. 
• Analysis of 15 million cyber attacks by FireHost users found XSS, directory traversals, SQL injections, and cross-site request forgery (CSRF) attacks to be the most serious and frequent and are part of FireHost's 'Superfecta' group. In Q3 of 2012, XSS and CSRF represented 64 per cent of attacks in this group.
• The report claimed that XSS is now the most common attack type, with more than one million XSS attacks blocked during this period alone, a rise from 603,016 separate attacks in Q2 to 1,018,817 in Q3. There were 843,517 CSRF attacks reported.

UK Data Protection Review for November 2012

ICO serves Prudential with a £50,000 fine after a mix-up over the administration of two customers’ accounts led to tens of thousands of pounds, meant for an individual’s retirement fund, ending up in the wrong account. 

• This is the first monetary penalty served by the ICO that doesn’t relate to a significant data loss, but is against not ensuring the customer information held was accurate and kept up-to-date 
• The original error was caused when the records of both customers, who share the same first name, surname and date of birth, were mistakenly merged in March 2007.
• The accounts remained confused for more than three years, and the problem was only resolved in September 2010. This was despite the company being alerted to the mistake on several occasions, including a letter from one of the customers in late April 2010 which clearly indicated his address had not changed for over 15 years. The company failed to investigate thoroughly at this point and the penalty imposed today relates to the inaccuracy then present which continued for a further six months.

ICO fines Plymouth City Council £60,000 for sending child neglect report to wrong person

• The report included highly sensitive personal information about two parents and four children, notably allegations of child neglect resulting in ongoing care proceedings.
• An investigation by the ICO found that the council had no secure system in place for printing reports containing sensitive personal data, and had failed to take reasonable steps to ensure reports were checked before they were sent out.
• ICO stated although caused by human error, consider that the company hadn’t taken enough care when handling vulnerable people’s sensitive information.
• ICO stated “The distress this incident will have caused the people involved is obvious, and the penalty we have issued today reflects that

ICO served monetary penalties totalling £440,000 on two owners of a marketing company which has plagued the public with millions of  spam texts over the past three years

• Fine for breaching Privacy and Electronic Communications Regulations (PECR), which was approved in January 2012
• The largest ICO fine to data
• The ICO is also currently considering issuing penalties to three other companies believed to be acting in breach of the regulations as the office continues its crackdown on the illegal marketing industry.
• All marketing by text message, email and mailshots, always are fully compliant with the Privacy and Electronic Communications Regulations (PECR) and the Data Protection Act (DPA).

ICO penalty ‘loop hole’ highlighted

• Media reports suggest organisations have considered using a “loophole” to avoid data breach fines – by asking the privacy regulator, the Information Commissioner’s Office (ICO), to audit them when they already know personal data has been lost or stolen.
• The ICO have said not to fine any company for breaches of the Data Protection Act if they are discovered during a voluntary audit. It appears that no matter how badly a company has performed, if the poor practice comes to light during an audit, the perpetrator won’t have to pay up

Text Spammings, Finally an ICO Fine of Merit

Today the Information Commissioner's Office (ICO) announced a record fine of £440,000 against the owners of Tetrus Telecoms. The ICO stated the Manchester based Tetrus Telecoms, were responsible for sending millions of unsolicited text messages using unregistered SIM cards, and personal data gained illegally.  Tetrus Telecoms were said to be sending 840,000 spam text messages a day promoting PPI claims and accident compensation claims, in the hope of earning a referral fee should any of the recipients respond. These referral fees netted the text spammers £8,000 a day. This is a lot of easy money, but it does mean 99.9% of those receiving the texts didn't reply, and so didn't want the text message in the first place.

Who hasn't had a PPI Text Message this year?

Finally the ICO dishes out a fine which is close to their maximum amount of £500K. Often criticised as a toothless tiger, the ICO fines are really hit and miss, however this £440K fine is the highest amount levied to date.

Finally a significant fine amount from the ICO against the owners of a private company. I don't agree with the past ICO six figure fines against public sector organisations, such as local authorities and the NHS, as in affect the ICO are taking money out of the public purse. Not great especially in these tough economic times, as these fines hit budgets, which in turn hit the provision public services. Negative publicity and pressure on organisation leaders, are the more appropriate method in dealing with publicly funded organisations that breach the Data Protection Act (DPA). Furthermore public sector fines appear not to be too much of a deterrent, as the NHS and local authorities continue to breach the DPA regularly  Private business are motivated by financial penalties hitting their profit margins, but the private sector do not have to disclose DPA breaches to the ICO. Also if a business volunteers for an ICO audit, they appear to be handed a "get out of jail free card" for any data breaches they knowingly have incurred. Businesses Consider Abusing ICO Data Breach Fine ‘Loophole’

ICO: Inconsistent enforcement action

Finally the ICO gets tough with text spammers, an issue which the vast majority of the UK public actually do really care about. Who doesn't hate being bombarded with streams of PPI text messages on our mobiles? Most people have received loads of these unwanted texts this year, wondering why such messages are allowed to be sent.  But it does beg the question, why has it taken the ICO so long to deal with text spamming, and what about phone call and email spamming which are equally rife. There are many other UK based illegal spamming operations in play, isn't it in the public interest to have these tackled as well?

The Death of PCI: Two-Factor Online Payments

Back in September 2007, I attended the inaugural Payment Cards Industry Security Standards Council (PCI SSC) Community Meeting in Toronto.  These were the days before PCI was big business, there must of been only a couple of hundred people at the event in a typical down town Hotel in Toronto.  PCI was still finding its feet, the PCI SSC Board members spent most of the event being grilled by delegates brimming with questions about the PCI standard, and it is fair to say some delegates weren't happy chappies at all. I took the opportunity of asking SSC Board members several questions myself, looking back today some of my questions could be seen as rather naive, given who is behind setting up the PCI SSC and why. 

I asked why PCI SSC doesn't just regulate the card issuers, challenge them with a standard to secure the cards and cardholder data to a higher degree, instead of passing the buck onto to everyone else in the industry. I explained how in Europe we had just started using a new two-factor authentication system, Chip and Pin, which was already dramatically cutting face-to-face card fraud (known as cardholder-present transactions). I argued they just needed to replicate the two-factor authentication for when we couldn't prove a person (cardholder) was in possession of a payment card, specifically with telephone, online and perhaps mail order payments (known as cardholder-not-present or MOTO payments).  My point was the industry should be focusing on updating the plastic card technology itself, which had been standing still for decades with its 1970s magnetic strip holding sensitive card data on the back, wasn't it time to evolve the technology and make the cardholder data itself worthless, in order to combat card fraud more effectively? 

Magnetic Strip

Of course these questions and points all fell onto deaf ears, as the PCI SSC is about regulating cardholder data beyond the card issuers, passing the failing and fraud cost of weakly secured plastic cards onto the Payment Processors and Retailers, that need to process them for payments.  The one big downside to PCI DSS, is companies are paying to protect someone else's data, as cardholder belongs to the card brands (i.e. Visa, MasterCard, Amex), and not to the cardholders. My gripe is companies invest more in protecting someone else's data better than they do their own confidential information, and more importantly more than other people's personal sensitive data. This often leads to their information security budgets being plundered by PCI programmes in order to protect card brand's data at the expensive of protecting citizen's personal data.

Five years on from that Toronto meeting, it is clear for many years now, that Chip & Pin (EMV) works in cutting cardholder present fraud, every Information Security professional knows the benefits in using a two-factor authentication system. Only now has North America finally started to push Chip & Pin for cardholder present transactions following the European success, could the penny have finally dropped? Are card brands and card issuers now seriously thinking about using two-factor authentication to protect online transactions from fraud as well?

To secure online transactions in the same way as Chip & Pin, you need to ensure the cardholder is in possession of their card. This can be accomplished by using a unique number generator onto a thin LCD screen on the card itself, this card number. This one time number can be generated using a timed encryption sequence  which creates a unique number valid only for a limited time. This number can be keyed in or spoken by the cardholder, and so used to corroborate the payment card itself is in possession of a cardholder. Further the security could be seriously ramped up by first requiring the cardholder to type in their PIN on the card itself before generating the number. This gives a two-factor authentication for online and telephone payments (MOTO), both proof of possession of the card (something you have), and the cardholder must know their PIN number (something you know), well recently both Visa Europe and MasterCard have announced new cards that do just that.

MasterCard's Two-Factor Payment Card

Visa's Two-Factor Payment Card

Why we want one of those

Most card consumers don't want gimmicky pictures of themselves on their payment cards, we want two-authentication for all our card payments, not just at the checkout. Why? because consumers actually do care about having their accounts hit by fraudulent transactions, and do want to be decently protected, as when all is said and done, all consumers foot both the card fraud bill and the retailers PCI bill. These new generation of cards present dealing with the root cause of the card fraud problem, the weakly secured plastic itself, and has to be the best way forward.

Death of PCI

For retailers, if all cards switched to two-factor authentication completely, it could finally mean they don't need to protect cardholder data, certainly not to the same degree at present, which really could spell the death of PCI. We'll have to wait and see before this 'not new' technology takes off in the industry, but I don't think PCI DSS will be around a decade from now.

4 Ways Your Child is Vulnerable to Identity Theft

Scary American made awareness video on Child identity theft by Good Money.  It's titled "5 Ways", but it's actually 4 ways for UK parents, we can ignore number 2 on Social Security numbers.

My recommendation is to educate and monitor your children/teenagers online activity, and teach them to secure their personal information digital footprint online.

5 Ways Your Child is Vulnerable to Identity Theft Online from Good Money by CreditScore.net on Vimeo.

According to the United States Bureau of Justice Statistics, in 2010, 7% or “8.6 million households had at least one member age 12 or older who experienced one or more types of identity theft victimization.” But identity theft is not just reserved for tweens and adults. In this age of information, children are increasingly vulnerable to the same kinds of attacks that cripple credit scores and bust bank accounts. Check out this video to learn about five ways you could be exposing your child’s sensitive information to identity theft.