Posted by Kevin on September 4, 2014.
The ITsecurity daily security briefing: Thursday, September 4, 2014.
If you find this security briefing useful, please spread the word via social media. If you have any comments or recommendations, please email kevtownsend at gmail dot com.
“You violate our rights, we tear down your databases.” Anonymous
I tried to have a look just to see if this is new and serious or old and mediocre – but first Twitter tried to stop me (Don’t go there!); and then the hosting company refused to display (said it was over CPU usage; so either it was lying or a million other like-minded journos had just Dos’d the site). I was interested in case I could see any link between this and the reported tango-down of Anonymous UK by GCHQ, supposedly in response to the Anonymous demonstration outside GCHQ’s Cheltenham UFO building, last week. The demonstration, incidentally, was poorly attended. We Brits are passionately apathetic, and that apathy will conduct us all the way to a fully-fledged Cameron-led police state.
CERT/CC Enumerates Android App SSL Validation Fails
The CERT Coordination Center has instigated a project that names and shames Android apps that fail to properly perform SSL certificate validation. Because of this, the apps are vulnerable to MITM attacks. Problem is, there’s an awful lot of them. You can get a technical description of the project from the CERT blog; or you can read a more accessible description on ThreatPost. The current list of vulnerable apps is shown on a spreadsheet here.
When Can the FBI Use National Security Letters to Go After Journalists? That’s Classified
“Two weeks ago, the DOJ Inspector General released a report on the FBI’s use of National Security Letters (NSLs)—the controversial (and unconstitutional) surveillance instruments used to gather personal information of Americans without any prior oversight from a judge. In a little-noticed passage buried in the report, the IG describes how NSLs have been used on journalists in the past, and indicates that the FBI can currently circumvent the Justice Department’s media guidelines to do so in the future.”
Freedom of the Press Foundation:
France is working on a draft bill to protect trade secrets
The draft proposes three requirements for the ‘secret’ to be protected by law: private, valuable and defended. The crime is defined, “The fact for anyone to read or disclose without authorization, or divert any information protected under secrecy within the meaning of Article L. 151-1 of the Commercial Code is punishable by three years imprisonment and a 375,000 euros fine.” (Google translation from the French)
Verizon failed to tell 2 million people it was using their personal info for marketing. Now the FCC is making it pay.
“Verizon has agreed to pay a $7.4 million penalty after the company failed to tell 2 million customers they could opt out of having their personal information used for marketing purposes, according to federal regulators. The fine is the largest ever levied by the Federal Communications Commission on a phone company over a privacy misstep. The FCC is also requiring that Verizon notify customers about their ability to opt out of marketing on every single bill they receive.”
The Washington Post:
Nearly All U.S. Home Depot Stores Hit
“New data gathered from the cybercrime underground suggests that the apparent credit and debit card breach at Home Depot involves nearly all of the company’s stores across the nation. Evidence that a major U.S. retailer had been hacked and was leaking card data first surfaced Monday on the cybercrime store rescator[dot]cc, the shop that was principally responsible for selling cards stolen in the Target, Sally Beauty, P.F. Chang’s and Harbor Freight credit card breaches.”
Dorking is not just a town in Surrey – just ask Google
Back in July, the FBI issued an alert (specifically for police, fire, EMS and security personnel) on Google Dorking: “Malicious cyber actors are using advanced search techniques, referred to as ‘Google dorking,’ to locate information that organizations may not have intended to be discoverable by the public or to find website vulnerabilities for use in subsequent cyber attacks. ‘Google dorking’ has become the acknowledged term for this malicious activity, but it applies to any search engine with advanced search capabilities.” If you think this a bit alarmist, have a look at the Dork cheatsheet published by Anonymous on the CyberGuerilla website.
West Coast Labs Completes Spinout to a Fully Independent Company
“West Coast Labs LLC, a global leader in research, testing, certification, and real-time performance validation for information security products and services, today announced it has completed its spinout from Haymarket Media Group to become a fully independent entity. The company’s global headquarters and test facilities have relocated from the UK to the US, and the management team has been strengthened…”
West Coast Labs:
Industry Experts Speak Out on Advanced Evasion Techniques
“Advanced evasion techniques, or AETs, are delivery mechanisms used to disguise advanced persistent threats (APTs) and permit them to slip through network security undetected. AETs work by splitting up malicious payloads into smaller pieces, disguising them, and delivering them simultaneously across multiple and rarely used protocols. Once inside, AETs reassemble to unleash malware and continue an APT attack” An excellent analysis and discussion.
The Chinese Underground in 2013
“We have been continuously monitoring the Chinese underground market since 2011. And by the end of 2013, we have seen more than 1.4 million instant chat messages related to activities in the market from QQ™ Groups alone. This research paper reviews these millions of messages, along with trends observed and product and service price updates seen in the Chinese underground market throughout 2013.”
Well, that didn’t take long: get your naked celeb photos here!
“The first threat we found hails from Twitter, in the form of a tweet being posted with hashtags that contain the name of one of the leak’s victims – Jennifer Lawrence. The tweet spo[r]ts a shortened link that, if clicked, leads the user to a website offering a video of the actress in question. If the user goes on to engage the playback, they are instead redirected to a download page for a ‘video converter’. The downloaded file is detected as ADW_BRANTALL.” There are others, and there will be more. Go buy a magazine – it’s safer.