These are the noteworthy stories, in no particular order, that peaked my interest last week.
- Hackers hit University of Cambridge leaking 1500 email addresses and passwords
- Hacker selling 655,000 patient records from 3 hacked healthcare organizations
- NHS psychiatric patients’ records found in filing cabinet sold on eBay
- Facebook ‘hack’ victim exposes passport scam
- Hackers steal $10 million from a Ukrainian bank through SWIFT loophole
- CLEVER ATTACK USES THE SOUND OF A COMPUTER’S FAN TO STEAL DATA
- How executives really feel about infosec reports
- The quickest way to annoy a privacy pro
- Symantec security software had ‘critical’ flaws
Hackers hit University of Cambridge leaking 1,500 email addresses and passwords
A security breach these days is nothing new, the sentence “consider yourself compromised” may hold more truth then a lot of us are willing to believe. Storing passwords in cleartext however, certainly with the level of technology available by default, is an absolute no-go these days.
The advice offered in this article to use strong passwords on new online accounts completely and utterly misses the effect and impact of this particular breach entirely. Whilst the advice by itself is sound advice for sure, if passwords are stored in an cleartext unencrypted way as has been done in this case, the strength of the password has absolutely no effect on the consequences of the data leak whatsoever.
Strong passwords only defend against guessing attacks and other methods that try to guess the password when only the hashed version is available to the hacker. It will and can never defend against them being stored in such a way they can be easily read and therefore directly used aka in cleartext as opposed to hashed or encrypted.
source: International Business Times UK (external link)
Hacker selling 655,000 patient records from 3 hacked healthcare organizations
As a lot of creditcard companies and companies that are relying on creditcards for payments are tightening security, the use of stealing them for profit is going down. Clearly new avenues of cyber crime are being found in extortion of companies having massive databases of, as in this case, health records. Again badly configured remote access systems (RDP, remote desktop protocol) and apparently readily available cleartext usernames and passwords seem to be the main routes the hacker used, it stands to reason that security was not up to scratch by a long shot.
As more and more health data will be available in digital form, the security of these systems equally becomes important to design and maintain well. And yes the privacy of such data is important too as information security may not at all points protect against unauthorised access to and use of medical data.
source: Computerworld (external link) and BBC News (external link)
NHS psychiatric patients’ records found in filing cabinet sold on eBay
What is it with officials of any organisation or company saying they take confidentiality very seriously after a data leak has occurred? Clearly, although this may be a one-off incident, not entirely serious enough or you would not have to apologise for this specific data leak now wouldn’t you have to?
Information Security (yes this isn’t cyber as it is about physical printed documents) also has to deal with destruction of information if and when an organisation closes down and sells off it’s furniture including filing cabinets. There is a very good DIN standard for this as well which clearly will tell you what level of destruction is required for what level of sensitive data, if you have done your data classification correctly of course.
source: International Business Times UK (external link)
Facebook ‘hack’ victim exposes passport scam
The most interesting sentence from this article actually is: “But the BBC understands that the decision to accept the fake ID was a mistake that violated the firm’s internal policies.”, because it clearly demonstrates that either internal security policies are not enforced or not known or this hacker clearly bypassed them using the usual social engineering tricks.
Another pointer that something was not right would have been that the request clearly did not come from the account’s associated e-mail address, freezing the account as the victim suggests is not really helping here. Just ignore the request and mark it as a security incident would be more appropriate.
The last bit that is somewhat disturbing is related to this sentence, I leave it up to you to decide for yourself to form an opinion on it. The article states on account restoration to it’s rightful owner that: “Following the publication of his Reddit post, Facebook restored all his accounts.”
source: BBC News (external link)
Hackers steal $10 million from a Ukrainian bank through SWIFT loophole
This is one of these stories that will not go away easily. Whilst the Swift system itself is not compromised, the fact that it still allows banks to be part of their trusted network and only now is thinking about expulsion of members that lack behind in implementing robust security policies and measures may help future attacks. However, it will greatly depend on if Swift itself is willing and able to not only create a minimum baseline of security it’s members must comply to but audit and measure it in an effective way.
The scope of these attacks may never be known as in some cases only small amounts have been stolen and because, as the SC article points out correctly, because of lack of reporting in some countries.
source: Kyiv Post (external link) and SC Magazine UK (external link)
CLEVER ATTACK USES THE SOUND OF A COMPUTER’S FAN TO STEAL DATA
Air gap system are computer systems that have no internet connection whatsoever. Sometimes they are even fully stand-alone without any network connection, not even a local one, at all.
So how to get data off such a machine? Use the fan noise to modulate an audible signal sending 0’s and 1’s over a short distance. The concept is far from new, the application in such a way is however very interesting.
The attack factor itself has an extra difficulty as the listening device needs to be literally in earshot of the transmitting device for it to be effective. Mitigation therefore may be straightforward as well but only if such measures are strictly enforced.
source: Wired (external link)
How executives really feel about infosec reports
Interesting article with a lot of numbers and percentages. However the core take-away here is that there still is a large gap between security professionals and board members. Do they really understand what information security officers are reporting? Is it just the reporting and metrics that count including traffic light dashboards? Are reports really based on the company’s critical business processes and most valuable assets?
Good reporting and risk management to me is more then just a list of metrics and a dashboard and will involve truly understanding what information (cyber) risks mean to the business, preferably in business language which is sometimes difficult to do but the ultimate way to bring your point across. The last paragraph of this article echo’s that vision as well to which I can’t but agree.
source: Help Net Security (external link)
The quickest way to annoy a privacy pro
Being versed in both information security and information privacy (an yes as an information privacy professional for a change I come from n IT background, not a law/compliance one) I find the tone of this article arrogant and over-simplifying as it comes to information security. Either that or the author is just very frustrated by the misunderstandings between both security and privacy professionals.
It is a pity as the issue he describes does exists and requires the attention proposed in the article as well. However, privacy pro’s can easily walk over to the other site of the building to talk to the security professionals as well. It would also greatly help if privacy lawyers do understand some basic IT concepts. This is not a one-way solving issue, it will require work from both the security and privacy professionals to come to the best of both fields in the current information society.
And yes I can help with that as well within your organisation.
source: CSO Online (external link)
Symantec security software had ‘critical’ flaws
Whilst we can thank Google for their discovery, the main question arising from this incident is why a large security software vendor like Symantec had a whopping 8 critical security flaws in their security software. The answer could be as simple as the fact that programming code is written by humans and every 1000 lines of code are sure to hold one bug at least, but in my opinion it isn’t that easy.
Other sources list some of these bugs however as once that certainly security software writers should be all to familiar with. One of the security flaws is a buffer overflow vulnerability, made even worse by Semantic’s use of the highest level of execution access (kernel level) to unpack packages.
I’m not a software developer so there is probably a good reason for this usage of kernel-space, but it doesn’t feel good for some reason. Specifically when it concerns security software.
source: BBC News (external link)