Saturday, 9 March 2013

UK InfoSec Review for February 2013

    • Addresses 57 vulnerabilities in Windows, Office, Internet Explorer, Exchange and the .NET Framework. 
    • 5 of these vulnerabilities were rated by Microsoft as ‘Critical’, Microsoft recommends to prioritise against MS13-009, MS13-010 and MS13-020
    • Adobe said in an advisory that one of the vulnerabilities — CVE-2013-0634 - is being exploited in the wild in attacks delivered via malicious Flash content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform, as well as attacks designed to trick Windows users into opening a Microsoft Word document delivered as an email attachment
o   Hackers were able to access twitter data, including usernames, email addresses, session tokens and encrypted/salted versions of passwords

o Twitter had reset passwords and revoked session tokens for the affected accounts, and encouraged users to ensure they had strong passwords.

o   A Twitter spokesperson said “This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organisations have also been recently similarly attacked”

    • It occurred "when a handful of employees visited a mobile developer website that was compromised. The compromised website hosted an exploit which then allowed malware to be installed on these employee laptops.
    • Facebook says the laptops in question "were fully-patched and running up-to-date anti-virus software. As soon as we discovered the presence of the malware, we remediated all infected machines 
    • The Financial Services Authority (FSA) is to lead a government benchmarking scheme to produce guidance on cyber security for the financial services sector.
    • This includes a benchmarking programme, led by the FSA, to identify cyber and technology practices of 30 major financial institutions which, once concluded, will result in the publication of an updated Business Continuity Management Practice Guide
    • A secretive branch of China's military is probably one of the world's "most prolific cyber espionage groups", according to Mandiant, a US cyber security firm. 
    • Mandiant said Unit 61398 was believed to have "systematically stolen hundreds of terabytes of data" from at least 141 organisations around the world.
    • Cyber attacks are increasing with little sign of abatement.
    • Valuable data makes businesses a target. Data is a viable commodity for cybercriminals
    • Outsourcing IT and business systems saves money only if there’s no attack. Many third-party vendors leave the door open for attack, as they don’t necessarily keep client security interests top of mind.
    • Employees leave the door open to attacks. Whether due to lack of education or policy enforcement, employees pick weak passwords, click on phishing links, and share company information on social and public platforms.
    • Report identifies and details what Mandiant believes to be a building in China, responsible for state sponsored Advanced Persistent Threat (APT) against Western targets
    • Web Threats. The web became significantly more malicious in 2012, both as an attack vector and as the primary support element of other attack trajectories (e.g., social, mobile, email).
    • Social Media Threats. Shortened web links used across all social media platforms hid malicious content 32 percent of the time
    • Email Threats. Only 1 in 5 emails sent was legitimate, as spam increased to 76 percent of email traffic. Phishing threats delivered via email also increased
    • Malware Behavior. Cybercriminals adapted their methods to confuse and circumvent specific countermeasures. Fifty percent of web-connected malware became significantly bolder, downloading additional malicious executables within the first 60 seconds of infection.

Sunday, 3 March 2013

UK Data Protection Review for February 2013

    • The council lost three DVDs related to a nurse’s misconduct hearing, which contained confidential personal information and evidence from two vulnerable children. An ICO investigation found the information was not encrypted.
    • The council had been couriering evidence relating to a ‘fitness to practise’ case to the hearing venue. When the packages were received the discs were not present, though the packages showed no signs of tampering. Following the security breach the council carried out extensive searches to find the DVDs, but they’ve never been recovered
    • ICO stated “failure to ensure these discs were encrypted placed sensitive personal information at unnecessary risk. No policy appeared to exist on how the discs should be handled, and so no thought was given as to whether they should be encrypted before being couriered. Had that simple step been taken, the information would have remained secure and we would not have had to issue this penalty”

    • They were caught carrying out the breaches for non-policing purposes, BBC Wales has discovered under the Freedom of Information Act. 
    • Included checks on partners, relatives and associates, altering their own records, and passing data to third parties.
    • Four people were sacked and 14 resigned as a result of the breaches

    • ICO said Compulsory data protection audits of councils and the NHS are needed to help eliminate "really stupid basic errors"