Sunday 3 February 2013

UK InfoSec Review for January 2013

Microsoft release an Emergency “Critical” patch for Internet Explorer V6, 7 & 8 
  • Patches released this patch out-of-band on 14th January 2013 
  • Patch remediates a public disclosed remote code execution vulnerability in IE 
Microsoft release 2 ‘Critical’ and 5 ‘Important’ Security Patches
  • Patches released as part of the ‘Patch Tuesday’ cycle on 8th January 2013 
  • Patches address vulnerabilities in Windows, Office, Developer Tools, .NET Framework and server 
Abode release patches for fix 27 vulnerabilities in Adobe Reader, Acrobat & Flash
  • Patches released as part of ‘Patch Tuesday’ cycle on 8th January 2013 
Hackers Used Data Centres to Supercharge Attacks
  • Researchers at Radware who investigated the attacks for several banks found that the traffic was coming from data centres around the world. They discovered that various cloud services and public Web hosting services had been infected with a particularly sophisticated form of malware, called Itsoknoproblembro, that was designed to evade detection by antivirus programs. The malware has existed for years, but the banking attacks were the first time it used data centres to attack external victims 
Anonymous PayPal attackers jailed in the UK
  • Two purported members of the Anonymous online collective were sentenced on in London to prison time for launching distributed denial-of-service attacks against PayPal. 
Hacktivists forecast continued DDoS campaign against banks
  • Distributed denial-of-service (DDoS) attacks against several U.S. bank sites was launched after offensive anti-Muslim video appeared on YouTube 
  • On 29th January Hacktivists suspended their bank DDoS campaign 
  • Hackitivists continue to organise and launch DDoS and data theft attacks on businesses around the world. Hackitivist attacks against businesses can materialise extremely quickly, DDoS attacks typically prove successful as most business do not have adequately DDoS defences built into their web facing IT infrastructure. 
  • In this DDoS example the banks have nothing to do with the YouTube posted offensive video, but were targeted to make a political point 

Saturday 2 February 2013

UK Data Protection Review for January 2013

ICO fines Sony £250,000 after millions of UK gamers personal details are compromised
  • Sony PlayStation Network Platform made international headlines when it was hacked in April 2011, compromising the personal information of millions of UK customers, including their names, addresses, email addresses, dates of birth and account passwords. Customers’ payment card details were also at risk. 
  • An ICO investigation found that the attack could have been prevented if the software had been up-to-date, while technical developments also meant passwords were not secure 
  • ICO commented 
    • “If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority” 
    • “There’s no disguising that this is a business that should have known better” 
    • “The penalty issued clearly substantial, but we make no apologies for that. It directly affected a huge number of consumers, and at the very least put them at risk of identity theft.”