The niner noteworthy stories of 2017 (week 20)

These are the noteworthy stories, in no particular order, that peaked my interest for this week.

Apple’s security, NHS records privacy and Hollywood content security

NicoElNino /

Hollywood studios ‘need to prioritise content security’

All things considering it’s not surprising these studio’s are an easy target. For an industry that has been fighting the changing technology landscape rather then embracing it, they probably also forgot to take account of the changing attack factors as well. As security probably is mostly focus on distribution of tapes and maybe dvd’s with material, the electronic backdoors are probably wide open.
If anything the massive breach of Sony Pictures should have woken up the industry, but this example shows that clearly didn’t happen.
The technical solutions given in the article probably will work, but it will greatly depend on how this movie was stolen if it will be the entire story. Security awareness, as always, plays a major role in all security programs.
Watermarking digital content is a good measure to find stolen content and maybe trace some of it back to the person who may be responsible for the leak, it does not prevent it from leaking in the first place.
source: TVBEurope (external link)

Disney’s Bob Iger says the film hack threat was a hoax

TVBEurope also has a bit in their article related to a possible hack threat on Disney where a new film was hold in ransom and would be released if the miscreants did not get paid.
This BBC article gives some extra insights in this piece of the puzzle.
Most interesting bit is that a Disney exec said: “In today’s world, cyber security is a front burner issue.” To which I can’t but agree, apart from the cyber bit which I still believe is only a hype term and the real value and threat remains with data and/or information, hence information security.
source: BBC News (external link)

Google collected NHS records of 1.6M patients on “inappropriate legal basis”

So you want to better inform the public on how their data was being used? Why not ask them for explicit consent whilst you are at it?
I have written about this data sharing with a branch of the big data slurp Google before on my blog and I have criticised it as well see here and here.
It seems the oversight party is agreeing on this topic, which is a positive thing for the privacy of all these patients’ health dat.
It is a pity that only if the information commissioners office (ICO) agrees as well, the data needs to be deleted.
As for Deepmind’s assurance that the data was never shared with other Google branches nor used for commercial purposes, I leave Google its reputation in the privacy domain for you to decide for yourself if you believe that or not. Time will tell for sure.
source: Ars Technica UK (external link)

It’s 2017 – and your Mac, iPad, iPhone can all be pwned by an e-book

So this time when Apple states in it’s release note that this updates improves the ability and security of your (fill in Apple product here) they clearly meant it and pretty largely too. If you like to read vulnerability numbers and accompanying CVE codes, then by all means read this article as it’s stuff full of them.
Does this mean Appel products are insecure? Well certainly less so as soon as you have updated all your systems obviously. Judging a system’s security by the number of vulnerabilities found however is always a tricky business as it greatly depends on what is actually published, how much effort is undertaken to find them and if they are actually patched as well.
Comparing operating systems purely on that basis therefore is comparing Apple’s and pears (no pon intended). Although I must admit Windows security often then not looks pretty pear shaped to me. And yes I know the English saying is apples and oranges.
source: The Register (external link)

Data breaches leading to leaks and a phishing campaign

Brian A Jackson /

DocuSign Data Breach Led to Targeted Email Malware Campaign

So a mail server was breached and the e-mail addresses found were used in a very targeted phishing camp gain, annoying at minimum or very annoying if you fell for the scam obviously. DocuSign stresses that that’s about it, no really.
However, if you read the article carefully you find something else which is somewhat troubling and goes back to the basics of why you should never use e-mail for sensitive information.
Whilst it is a good idea never to open attachments or click on links in mail messages (unless you are absolutely sure it’s safe), DocuSign’s advice follows this as well. The part that comes next however caught my attention.
Apparently all the DocuSign messages contain a “unique security code provided at the bottom of every legit DocuSign email”. A what? So for all stuff you want to do at DocuSign you are using a unique security code that you send in the clear over untrusted networks to your customers. Not only that it sends a document link to people who need to sign in cleartext e-mail as well, giving basically no guarantee whatsoever that the right person actually signed the document. It is also possible to access documents that need a signature that way by misusing the link send, which could very well lead to a data leak too.
Yes I know doing digital signatures the right and correct way is difficult, cumbersome and probably not for everyone, but this system puts trust in a medium like e-mail and hopes it won’t go wrong. Just like a lot of companies btw sending sensitive information over e-mail without having any clue of the fact it’s hopelessly insecure.
source: the Hacker News (external link)

Gotcha, Tatcha! Thieves hide in servers to hoover up victims’ bank card numbers mid-order

It’s a pity that not more information has been provided on this breach in this article. It would have been extremely interesting to see how the criminal obtained access and the method deployed to grab all the payment data as well as account and login data.
Since the database was not compromised, I would guess a cross-side scripting attack is pretty likely here. However why the attack and grab only seemed to take one day is puzzling to say the least.
The fact that it took them three months to discover the breach probably means that creditcards obtained weren’t massively misused yet, or customers and creditcard companies never notified the retailer.
One advice I am missing from this breached company though, which is to change your passwords on all locations you used the same one as on their site. Which you should never do in any case, but we all know that it happens.
source: The Register (external link)

Zomato Hacked; Hacker Puts Up 17 Million Users’ Emails and Passwords On Sale

Well you don’t see those often, a possible insider breach which leads to customer data being sold on the dark web, interesting. As for their note on hashing functions: hashed passwords can never be converted to plain text, no matter what algorithm or how much salt you used or not.
Okay it’s a nitpicking one on their wording, because brute forcing all combinations and gaining access to a matching password (that is the hash values match) could be seen as converting back to plain text. However it is not, as the password obtained that way doesn’t particularly have to be identical to the password slurped in hashed format, as long as the hash value calculated including the required salts are identical.
On a side note, I think it’s a good thing that this food company is using multiple salts.
source: the Hacker News (external link)
Okay, apparently not internal but a ethical hacker who tried to sell the data and then used extortion to have the victim launch a bug bounty program to effectively buy it’s data back.
I don’t know where this Indian news site got it’s definition of “ethical” but it certainly is not written that way in my dictionary.
This was simply a criminal hacker who chose a different tactic either because he couldn’t get the data sold or was discovered. I would advice Zomato to go to the authorities and have them launch a criminal investigation. This person is certainly NOT and ethical hacker and naming it that way is an grave insult to those in the security community who can carry that title with pride and dignity.
source: India Today (external link)

Bell Canada hacked: 2m account details swiped by mystery miscreants

Seems this telco has a habit of misusing or leaking customer data, twice in 2 years even. And again we see the comment that no financial data was compromised, though the other data that was stolen will certainly have it’s value on the black market as well.
Interesting to see that they give very little details on the matter entirely, which is unfortunate as other companies could have learned from their mistakes.
source: The Register (external link)

Aviation and Information security

litabit /

Google (not the GDS) is the new enemy in airline distribution

Although not strictly an information security topic, this story certainly has privacy implications, which is pretty obvious as Google is part of it and that always raises privacy concerns. In this respect it’s the monetisation of all that customer airlines data plus the data of the airlines itself.
Google therefore is quickly becoming the single point of failure in the travel industry a s it comes to controlling the customer experience for the airlines and their passengers.
Yes of course airlines need to innovate, cut the crap out of their complex ticket structures and offer a good desktop and mobile experience etc. but ultimately they indeed need to share data with Google Flight Services on their terms not on Google’s.
KLM Has tried to make the fare structure in Europe less complicated by offering just three different price points. However, nothing is as it seems as there are still different seat prices within each level as well, making it complicated again. Their mobile and desktop experience, at least from an assistive technology perspective, is right out horrible.
But as for the privacy bit, airlines have a duty to keep their passenger’s data safe and security. Running with open arms and blindfolded into the arms of GFS is doing the exact opposite however.
source: TNOOZ (external link)

Airplane cockpit security codes leak onto the Internet

So not only does United have a problem with customer service, they apparently have a lapsing security culture as well. And yes there we have one of those statements again which seem to contradict the current facts:

“The safety of our customers and crew is our top priority and United utilizes a number of measures to keep our flight decks secure beyond door access information,” United said in a statement. “In the interim this protocol ensures our cockpits remain secure.”

It is only one step in a complex security procedure we have seen after the attacks on 9/11 in airlines across the world and which can also work against the safety of passengers and crew. The German Wings incident in 2015 is an unfortunate example of the other site of the coin of better security for the cockpit area.
United is correct that if the remainder of the protocol is followed, the risk is minimal. But if that is the case, do we really need those security codes at all? True it gives a sense of safety to the flight crew, but is it really that more safe then the situation before the 9/11 attacks or is it more borne out of a panic response to what happened that day without really weighing all the pros and cons of such a move?
source: Ars Technica UK (external link)