Tuesday 4 December 2012

UK InfoSec Review for November 2012

Vital Microsoft (4 critical) and Adobe (7 critical flash) Security patches released this month.
  • Adobe have joined Microsoft in with releasing patches on Microsoft’s Patch Tuesdays, such is the regularity of new vulnerabilities that are found in their applications.
Fraudulent Westminster Council parking charge emails sent
  • At least 800 fraudulent emails have been sent telling people they owe Westminster Council money for parking.
  • Westminster's contractor, PayByPhone, said it had been the victim of a phishing scam. 
  • The council said it had received complaints from 800 people saying they had received fraudulent emails. However, it could not provide an estimate for the number of emails that had been sent out. 
  • Spam Emails are becoming more sophisticated and believable to end consumers, with attacks become more targeted against organisations, and personalised using stolen information. It is worth noting consumers and media can place blame at organisations for such attacks, as in this case.
Police arrest man over Home Office Distributed Denial of Service Attacks
  • Police have arrested a 41-year-old man in connection with distributed denial-of-service attacks against the websites of the Home Office and home secretary Theresa May.
  •  The Anonymous hacktivist group claimed to have launched a series of distributed denial-of-service (DDoS) attacks against the Home Office and Theresa May in April this year.
Sophos multiple critical flaws flagged by researcher
  • Google researcher said that security professionals should "exclude Sophos products from consideration for high value networks and assets" and "A sophisticated state-sponsored or highly motivated attacker could devastate the entire Sophos user base with ease."
  • UK police have arrested three men suspected of being involved in thousands of phishing attacks on banking customers.
  • One Nigerian and two Romanian men were arrested at a central London hotel on conspiracy to defraud and money laundering charges.
  • The three men were allegedly involved in an operation that placed over 2,000 phishing pages on the internet
For Sale: Cheap access to corporate computers
  • Cyber-criminals are openly selling illegal access to the computer networks of many of the world's biggest companies.
  • One website called Dedicatexpress offers 17,000 server, with about 300,000 servers listed since the site started in 2010
  • List includes UK company servers for sale
  • Burglars seem to be exploiting a bug in widely used electronic key card door locks to steal from hotels.
  • Insurance firms said they expected to be "hit hard" as knowledge of the hack spread among professional thieves. 
  • UK swipe card systems are said to be also threaten by this and other similar vulnerabilities
Gartner warning on cloud security: Outages are bigger risk than breaches
  • Gartner analyst says the biggest concern should not be that data could be compromised in the cloud, but rather that there may be a cloud outage that could lead to data loss. 
  • Amazon Web Services, the market-leading cloud provider, has experienced three major outages in the past two years. After an April 2011 Elastic Compute Cloud (EC2) outage, some level of data was irrecoverable.
Lockheed Martin admits to growth in number of attacks on its networks
  • Defence contractor Lockheed Martin has reported a ‘dramatic growth' in the number and sophistication of cyber attacks on its networks. 
  • The attacks are ‘international' and attackers were clearly targeting Lockheed suppliers to gain access to information since the company had fortified its own networks. 
  • RSA said 20 per cent of the threats were considered to be advanced persistent threats (APT) and had increased dramatically over the last few years. 
  • Sophisticated cyber attacks are on the rise and present an increasing and persistent risk across UK plc. UK businesses must not be complacent about cyber attacks, as it is often said all FTSE 100 companies are primary targets by nation states and are actively being attacked, whether the companies realise these attacks are occurring, is another issue (monitoring).
  • A zero-day flaw that can be used as a vector to bypass sandboxing in Adobe Reader X and XI has been circulating on cyber crime forums, according to Russian forensics company Group-IB. 
  • Adobe introduced 'Adobe Protected Mode' sandboxing in October as part of an effort to improve Adobe Reader security. 
  • The flaw is advertised for sale for between $30,000 and $50,000, and is being included in versions of the Blackhole exploit kit 
  • The Blackhole exploit kit is often used to distribute banking Trojans such as Zeus, Spy Eye, Carberp and Citadel.
  • This vulnerability is yet to be patched
Kaspersky publish Top Ten Vulnerabilities List
  • The Security Patching of non-Microsoft applications such as Adobe Reader and Oracle Java on all Desktop and Laptops are a key area to validate within business Patch Management processes.
  • UK companies tend to patch Microsoft products pretty well but neglect other common desktop applications by Adobe and Oracle, which are rife with serious vulnerabilities if left unpatched.
1.    Oracle Java Multiple Vulnerabilities: DoS-attack (Gain access to a system and execute arbitrary code with local user privileges) and Cross-Site Scripting (Gain access to sensitive data). Highly Critical.
2.    Oracle Java Three Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Extremely Critical.
3.    Adobe Flash Player Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Gain access to sensitive data. Highly Critical.
4.    Adobe Flash Player Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Bypass security systems. Highly Critical.
5.    Adobe Reader/Acrobat Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Extremely Critical.
6.    Apple QuickTime Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Highly Critical.
7.    Apple iTunes Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Highly Critical.
8.    Winamp AVI / IT File Processing Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Highly Critical.
9.    Adobe Shockwave Player Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Highly Critical.
10.  Adobe Flash Player Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Bypass security systems. Gain access to sensitive data. Extremely Critical.

XSS remains the most frequently attacked website flaw according to FireHost
  • The third quarter of 2012 showed another increase in attacks against cross-site scripting (XSS) flaws on websites. 
  • Analysis of 15 million cyber attacks by FireHost users found XSS, directory traversals, SQL injections, and cross-site request forgery (CSRF) attacks to be the most serious and frequent and are part of FireHost's 'Superfecta' group. In Q3 of 2012, XSS and CSRF represented 64 per cent of attacks in this group.
  • The report claimed that XSS is now the most common attack type, with more than one million XSS attacks blocked during this period alone, a rise from 603,016 separate attacks in Q2 to 1,018,817 in Q3. There were 843,517 CSRF attacks reported.

Monday 3 December 2012

UK Data Protection Review for November 2012

ICO serves Prudential with a £50,000 fine after a mix-up over the administration of two customers’ accounts led to tens of thousands of pounds, meant for an individual’s retirement fund, ending up in the wrong account. 
  • This is the first monetary penalty served by the ICO that doesn’t relate to a significant data loss, but is against not ensuring the customer information held was accurate and kept up-to-date 
  • The original error was caused when the records of both customers, who share the same first name, surname and date of birth, were mistakenly merged in March 2007.
  • The accounts remained confused for more than three years, and the problem was only resolved in September 2010. This was despite the company being alerted to the mistake on several occasions, including a letter from one of the customers in late April 2010 which clearly indicated his address had not changed for over 15 years. The company failed to investigate thoroughly at this point and the penalty imposed today relates to the inaccuracy then present which continued for a further six months.

ICO fines Plymouth City Council £60,000 for sending child neglect report to wrong person
  • The report included highly sensitive personal information about two parents and four children, notably allegations of child neglect resulting in ongoing care proceedings.
  • An investigation by the ICO found that the council had no secure system in place for printing reports containing sensitive personal data, and had failed to take reasonable steps to ensure reports were checked before they were sent out.
  • ICO stated although caused by human error, consider that the company hadn’t taken enough care when handling vulnerable people’s sensitive information.
  • ICO stated “The distress this incident will have caused the people involved is obvious, and the penalty we have issued today reflects that


ICO served monetary penalties totalling £440,000 on two owners of a marketing company which has plagued the public with millions of  spam texts over the past three years
  • Fine for breaching Privacy and Electronic Communications Regulations (PECR), which was approved in January 2012
  • The largest ICO fine to data
  • The ICO is also currently considering issuing penalties to three other companies believed to be acting in breach of the regulations as the office continues its crackdown on the illegal marketing industry.
  • All marketing by text message, email and mailshots, always are fully compliant with the Privacy and Electronic Communications Regulations (PECR) and the Data Protection Act (DPA).

  • Media reports suggest organisations have considered using a “loophole” to avoid data breach fines – by asking the privacy regulator, the Information Commissioner’s Office (ICO), to audit them when they already know personal data has been lost or stolen.
  • The ICO have said not to fine any company for breaches of the Data Protection Act if they are discovered during a voluntary audit. It appears that no matter how badly a company has performed, if the poor practice comes to light during an audit, the perpetrator won’t have to pay up