Posted by Kevin on September 5, 2014.
The ITsecurity daily security briefing: Friday, September 5, 2014.
If you find this security briefing useful, please spread the word via social media. If you have any comments or recommendations, please email kevtownsend at gmail dot com.
Twitpic to shut down
“Twitpic will shut down Sept. 25 after the company was unable to resolve a trademark dispute with Twitter, it said Sept. 4. The company claimed Twitter wanted it to abandon its trademark to the term “twitpic” or it would revoke the company’s API access.” Twitter said it was merely protecting its brand; but it seems that it was effectively demanding that Twitpic hand the trademark over. If this is the correct interpretation, then Twitter is evolving from a great company into a bully.
Windows malware begins migrating to OS X
“FireEye Labs recently discovered a previously unknown variant of the APT backdoor XSLCmd – OSX.XSLCmd – which is designed to compromise Apple OS X systems. This backdoor shares a significant portion of its code with the Windows-based version of the XSLCmd backdoor that has been around since at least 2009. This discovery, along with other industry findings, is a clear indicator that APT threat actors are shifting their eyes to OS X as it becomes an increasingly popular computing platform.” The actor is believed to be a group called ‘GREF’, previously known for targeting the US Defense Industrial Base (DIB), electronics and engineering companies worldwide.
Could/should the celebrities sue Apple?
Forbes reports: “But here’s the crucial point: the researcher who publicly detailed an apparent brute force flaw in iCloud over the weekend, Alexey Troshichev, said he would have told Apple about that vulnerability if it had implemented a bug bounty project. The Russian told me he would have done so instead of posting the information on Github, a public code depository, which likely helped hackers successfully compromise iCloud accounts. In short, a bug bounty might have saved Apple a lot of pain.”
Note also, Robert Graham in Errata Security writes, “When you get sued for a cybersecurity breach (such as in the recent Home Depot case), one of the questions will be ‘did you follow industry norms?’. Your opposition will hire expert witnesses like me to say ‘no, they didn’t’. One of those norms you fail at is ‘Do you have a vuln bounty program?’.
Apple does not have a bug bounty program. Is it vulnerable to being sued by anyone and everyone who loses personal data from iCloud?
Errata Security: http://blog.erratasec.com/2014/09/vuln-bounties-are-now-norm.html
Court Orders Twitter to Reveal Data on Handle’s ID
“A man falsely charged with posting an in-court photograph of a 12-year-old sexual assault victim is entitled to information that could identify the culprit who apparently assumed his identity and shared the picture on Twitter, a Brooklyn judge has held. Supreme Court Justice Francois Rivera (See Profile) held that the conduct of whoever posted the picture evinced such “atrocious malice” that the First Amendment provides no shield. Rivera ordered Twitter Inc. to reveal information that would allow the plaintiff to identify the individual who posted the photograph.”
New York Law Journal:
Microsoft introduces three new phones
“On Thursday, the tech giant introduced three new devices, its first ones since the completion in April of its $7.5 billion deal for Nokia’s cellphone business and just a few months after announcing the layoffs of 18,000 workers at the division. The models will retail from $259 to $390 without a contract with a carrier, according to Microsoft. In contrast, Apple’s most recent phone, the iPhone 5S, costs $649 on its website. By offering cheaper smartphones, Microsoft is hoping that it can finally break out from its mediocre market share to offer an alternative to the dominant operating systems from Apple and Google.”
NYT’s Bits Blog:
FireEye has provided details on the number of ransomware victims it has saved from CryptoLocker’s clutches – nearly 3000.
Europol chief takes instructions on document access from Americans
“The head of the EU police agency Europol is taking instructions from the Americans on what EU-drafted documents he can and cannot release to EU lawmakers. The issue came up over the summer when US ambassador to the EU Anthony Gardner told EU ombudsman Emily O’Reilly she cannot inspect an annual Europol report drafted by the agency’s own internal data protection review board. The report describes how data concerning EU citizens and residents is transferred to the US.”
Sophia IN ‘T Veld (Netherlands, D66), Vice President of ALDE, commented, “This is a flagrant violation of the powers of the Ombudsman and Community law on freedom of information… It is shocking that an ally is trying to prevent the EU from applying its own legal access to documents.”
Bitcoin and Virtual Currency Regulation
Excellent discussion on the pros and cons of bitcoins: “If virtual currency flourishes, it could modernize the financial currency system and ease the complexity of international transactions in particular.50 It may be that Bitcoin will only be a pioneer in the field of virtual currencies, but will be overshadowed by an easier-to-use rival. The challenge for regulators will be how to strike the appropriate balance in regulating the rapidly evolving and complex virtual currency systems without restraining their growth and development.”
New York Law Journal:
F-Secure Labs Threat Report Webinar
Get a preview of Monday’s F-Secure Threat Report. “Join Mikko and the F-Secure Labs live for news about Gameover Zeus, industrial espionage and the latest threats to Mac, PC and Mobile.”
Google+ Hangout: 5 September (today!) at 15:00 BST:
Submitted in: News |