UK InfoSec Review for October 2012

UK Police net suspected phishing gang http://www.scmagazineuk.com/police-net-suspected-phishing-gang/article/266148/

• UK police have arrested three men suspected of being involved in thousands of phishing attacks on banking customers.
• One Nigerian and two Romanian men were arrested at a central London hotel on conspiracy to defraud and money laundering charges.
•  The three men were allegedly involved in an operation that placed over 2,000 phishing pages on the internet

XSS remains the most frequently attacked website flaw according to FireHost http://www.securityweek.com/cross-site-attacks-rise-top-q3-says-firehost

• The third quarter of 2012 showed another increase in attacks against cross-site scripting (XSS) flaws on websites.
• Analysis of 15 million cyber attacks by FireHost users found XSS, directory traversals, SQL injections, and cross-site request forgery (CSRF) attacks to be the most serious and frequent and are part of FireHost's 'Superfecta' group. In Q3 of 2012, XSS and CSRF represented 64 per cent of attacks in this group.
• The report claimed that XSS is now the most common attack type, with more than one million XSS attacks blocked during this period alone, a rise from 603,016 separate attacks in Q2 to 1,018,817 in Q3. There were 843,517 CSRF attacks reported.

Android apps 'leak' personal details http://www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf

• Android apps can be tricked into revealing personal data, research indicates.
• Scientists tested 13,500 Android apps and found almost 8% failed to protect bank account and social media logins.
• These apps failed to implement standard scrambling systems, allowing "man-in-the-middle" attacks to reveal data that passes back and forth when devices communicate with websites.
• The usage of Android in BYOD schemes by businesses, this is a risk to investigate further

Cost and education are the biggest hindrances and failings around PCI compliance according to Vigitrust survey

• http://www.scmagazineuk.com/small-merchants-claim-that-costs-are-a-major-hindrance-when-it-comes-to-pci-dss-compliance/article/264184/?DCMP=EMC-SCUK_Newswire
•  Of 125 small merchants, three quarters (74 per cent) said that they had no allocated budget to deal with the payment card industry data security standard (PCI DSS) while 66 per cent felt that qualified security assessors (QSA) were too expensive.
• While 100 per cent said that they were aware of PCI DSS, 32 per cent felt that it was a technical challenge, 50 per cent saw it as a procedural challenge and 18 per cent saw that training requirements had to change

Microsoft rejects digital certificates with fewer than 1024 bits

• Microsoft Security Advisory: Update for minimum certificate key length http://technet.microsoft.com/en-us/security/advisory/2661254
• Microsoft said that certificates with RSA keys less than 1024 bits in length will be blocked. Microsoft has recommended that people using RSA keys should choose a key length of at least 1024 bits after it spotted a number of digital certificates that did not meet its standard for security practices
• I recommend business adopt 2048 bit certificates by default with all applications and service

EU and banks stage DDoS cyber-attack exercise

• The European Union has responded to an increase in the number of Distributed Denial of Service (DDoS) attacks with its biggest cybersecurity exercise.
• Enisa (European Network and Information Security Agency), which is co-ordinating the event, said 25 nations actively participated in the practice run in October, and a further four countries were observing. But it would not specify the names of the states or organisations involved.
• DDoS attacks have been increasing in the couple of years