The niner noteworthy stories of 2016 (week 51)

These are the noteworthy stories, in no particular order, that peaked my interest last week.

NIST requests ideas for crypto that can survive quantum computers

Christmas miracle: Government preparing properly for problem expected to land in ~20 years

As short sighted as most governments are, including their agencies, this is maybe a bit over the top on planning ahead. Then again, it isn’t only cryptography systems that take ages to become commonplace in our IT landscapes. Protocols like IPv6 will easily surpass the 30 years mark before it will have fully replaced it’s predecessor and DNSSec will have close to 20 years or beyond on it’s timescale as well.
Considering this, the move by the National Institute of Technology and Standards (NIST) isn’t as far fetched as you may think. Although in true shortsightedness, setting a deadline of just less then one year probably uncovers the true identity of the organisation as a government agency again.
source: The Register (external link)

US fails to renegotiate arms control rule for hacking tools

The problem with this kind of arrangements is usually not only the time it takes to agree on something in the first place, but the fact that technological advances may make some of the agreed positions irrelevant the moment agreement finally is reached.
Another point of discussion here can be what constitutes as a weapon system. Noting that before 1996 cryptography of sufficient strength (at least up until weak enough for the American agencies to be able to crack easily) was seen as weapon’s export. Something the Bush administration tried to reinstate after the 9/11 attacks in 2001.
Generally the question is if you can actually limit the export of security tools without harming the security research and information security professions which, if not possible, would immediately lead to higher security and privacy risks for society.
source: Hearst Seattle Media (external link)

Leaked documents show breadth of iPhone data accessible by Cellebrite forensic tool

There is actually only one lesson that can be learned is that if you have newer hardware with up-to-date encryption technology build-in, there is effectively only one thing you need to do yourself as end-user: set a passcode of sufficient strength.
Yes I know there will certainly be other methods to break into a sufficiently protected iPhone or iPad, including copying a dead guys’ fingerprints, but at least using the protection methods available to you will make it that much harder to lose your data when you lose your device.
source: Apple Insider (external link)

EU financial regulators say more rules may be needed for Big Data

Insurance companies, specifically, have been using such classification models for decades. This I know from experience on an insurance policy I once had for my bicycle which had a higher premium on it because I was living in the Amsterdam area and because within that area apparently more bikes get stolen. The fact that these companies want to have even more data to make decisions on what product to sell for what price to consumers therefore is not very surprising.
The implications however can be extremely far reaching and potentially life threatening if health insurers would use big data to make sure they charge extremely high premiums to high risk customers.
So as to the question if extra regulations are necessary I am inclined to answer yes.
source: Reuters (external link)

Mobile banking trojans adopt ransomware features

Not surprising this is possible on Android devices. Apple’s iOS by default doesn’t allow any 3rd party apps to install when it’s downloaded from another source then Apple’s own Appstore, although there are ways around it when a device is jail broken or when a user accepts an unsigned application from an unknown developer specifically. Apple’s iOS may be less vulnerable specifically for this attack factor, it doesn’t mean that the mobile operating system is technically not vulnerable for these types of attack at all. Although it will be more difficult to pull off then on an Android phone.
source: CSO Online (external link)

Industrial automation makers and utilities facing spear phishing probes, says Kaspersky

SCADA, ICS or DCS systems (no they are not all the same thing) are indeed vulnerable, even more so than your usual office computer. However, attacking those and causing specific and predictable carnage is also more difficult because of the nature of such systems. In these cases it will greatly depend on the knowledge of the attackers on specific industrial protocols, the type and setup of the industrial control system as well as the specific tasks the system provides to the specific factory or plant. Considering this, fully misusing gained access to such systems is certainly not trivial.
source: IT World Canada (external link)

LinkedIn’s Lynda Latest to Suffer Data Breach

Some of those with no password data in the Lynda.com database are probably LinkedIn premium users who obtain access to the learning service as part of their premium subscription.
Apparently though LinkedIn isn’t as forthcoming to those people to notify them of this breach. As the login procedure uses LinkedIn rather then Lynda.com itself for authentication, for those accounts no password data will be available in the compromised database.
A notification of the breach however would have been respectful to your paying customers as other data was part of the breach which could have other consequences then direct account access e.g. used for phishing attacks.
As a premium LinkedIn subscriber myself and a user of the Lynda.com system I can state from personal experience that they did not notify me about this breach in any way.
source: Infosecurity Magazine (external link)
and The Register (external link)

Almost 800,000 to be notified because more than 100 Los Angeles County employees fell for a phishing attack

A classic case of failing security awareness, certainly if over 100 staffers provide their username and password to a phishing fraudster. There is however another interesting fact in these articles which is the massive delay between the occurrence and the actual publication of the occurrence over 7 months later.
Although I can think of a couple of reasons why investigators don’t want something to go public, it doesn’t take into account that during those 7 months the potential victims are at risk and even worse don’t even know they are. Whatever the reason for it, I classify this as irresponsible.
source: Office of Inadequate Security (external link)
and CBS Interactive (external link)

INSIDE LEAKEDSOURCE AND ITS DATABASE OF 3 BILLION HACKED ACCOUNTS

Whilst this may indeed be a useful service and some anonymity may be required as well, there are certainly pros and cons to this service and it’s business model. It’s far for me to judge what they are doing as either negative or positive. However, the fact that such a service exists is interesting to know by itself.
Having all that data in one giant database obviously isn’t without it’s own security and privacy issues.
source: Wired (external link)

Site that sold access to 3.1 billion passwords vanishes after reported raid

(update: February 1st 2017): sometimes something doesn’t really seem to be what it claims to be. This also holds for this case as apparently their business model was indeed a bit more dubious then was portrait in the previous article. If indeed they also cracked password hashes and sold that data to whoever would pay for it, it is no wonder this company would ultimately be rolled up and taken offline. The question remains is how many others did already obtain a full copy of the database with cleartext credentials.
source: Ars Technica (external link)