Posted by Kevin on September 12, 2014.
The ITsecurity daily security briefing: Friday, September 12, 2014.
If you find this security briefing useful, please spread the word via social media. If you have any comments or recommendations, please email kevtownsend at gmail dot com.
Don’t let FCC kid you – US internet is a racket
Since US cable companies are already charging their customers more than other countries, how come they are trying to charge even more? “A British family, for example, could spend roughly one-third of what an American family does for comparable communications services…
Most U.K. consumers purchase their communication services in a bundle. A single provider delivers a package with TV, Internet, phone and cellphone services. In the U.S., services are often sold separately. Regulatory policy differs as well. For example, U.K. regulators require clear pricing information. In the U.S., pricing tends to be confusing, and comparisons between competitors are hard to make. U.K. regulators also have tried to ensure that consumers are free to switch if they get a better deal, while U.S. customers can be locked into multiyear contracts. No matter what the reasons are, when it comes to the cost of communications services, the U.K. seems to be sending America a message.”
CNIL warns that Google is not being, well, straightforward
In an interview with La Croix, Isabelle Falque-Pierrotin, president of the National Commission on Informatics and Liberties (CNIL – the French data protection regulatory body) warned that Google is consciously muddying the water over the ‘right to be forgotten’. “The debate on censorship is very exaggerated. It should be understood that the offending articles are not removed. The engine is limited to removing the link to the article or photo that a user wants to see disappear from search results obtained by typing the name of that individual. But these pages are still being indexed and can be identified if a query on another element of the article or photo is spear. The online image of the complainant is rectified at the margin.
Google has carefully cultivated this ambiguity to cause controversy over censorship of search engines and discredit the right to be forgotten. We will receive in Brussels European representatives of the press and online search engines to reassure them about the effects of that decision. I am also in favor of the news sites concerned being made aware of ‘de-indexing’ to maintain their vigilance against possible abuses.”
Meanwhile, several civil liberties groups have penned a more restrained but similarly motivated open letter to the Google Advisory Council urging that the members do not lose track of the real issues:
“We hope that the Advisory Council will seize the opportunity of the meetings organised in several European capitals to clarify and elaborate on the implementation of the ruling, and to ensure that Google’s implementation of the ruling is transparent, accountable, and in line with fundamental rights.”
Target and Home Depot may not be linked after all
Security researcher Josh Grunzweig of Nuix has published a detailed comparison of the BlackPOS malware used against Target with the recently discovered malware (dubbed BlackPOS 2) thought to have been used against Home Depot. His conclusion is that the new ‘version’ is not a variant at all, but a different malware developed by a different actor. “While this particular sample may not be the newest variant of BlackPOS, it is still very much a serious threat. It employs a number of simple tactics that make it difficult to detect without specific knowledge of the malware family itself.” He also points out, however, that we have no confirmation that the newer malware is actually the one used against Home Depot – so the attacks could indeed still be related.
Corruption in – rather than by – Huawei
“Huawei Technologies Co Ltd, China’s largest telecom equipment maker, found four employees in violation of the company’s policies on corruption as part of an internal inspection, a source familiar with the matter said.
“In response to the findings, Huawei has held training sessions to educate employees on how to steer clear of possible bribery, the source said, declining to be identified because he was not authorized to speak about the matter to the media.”
Compromised Website Used To Hack Home Routers
Securi has analysed the compromised website of a Brazilian newspaper, and has found that it is being used to compromise home uses’ DSL routers by brute forcing the credentials. “The easiest way to address an issue like the one describe[d] above is to move beyond the default user name / password configuration. Odds are many of you unpackage the router, set it up and go about your business. You’re safe, who would want access to your home router? Well, now you know who. Routers are the backbone of the internet, even those that you use in your homes.”
Ex-NSA chief’s hack patent raises questions
Keith Alexander left the NSA and quickly set up a new security firm that promises to provide proactive rather than reactive security. But the fact that he already has numerous patents pending has raised eyebrows. “There was something ‘really fishy’ about Alexander’s dash into the private sector, said Matthew Aid, author of books on the NSA and intelligence work, including Intel Wars: The Secret History of the Fight Against Terror.”
Alexander claims that the patents have nothing to do with his work at the NSA, and that the underlying concept is not even his.
U.S. threatened hefty fines to make Yahoo hand over user data
The U.S. government in 2008 threatened to fine Yahoo Inc $250,000 a day if it failed to turn over customer data to intelligence agencies, according to documents unsealed on Thursday.
“The documents shed new light on how the government dealt with U.S. Internet companies that were reluctant to comply with orders from the secretive U.S. Foreign Intelligence Surveillance Court, which rules on government requests to conduct surveillance for national security issues…
“A filing to the secret court by U.S. government asked that Yahoo be made to pay a minimum fine of $250,000 for each day it refused to comply with a court order to turn over user data, with the fine to double each successive week.” Ouch!
PoS RAM Scraper Malware
If you’ve ever wondered how POS RAM-scraping malware works, Trend Micro has published a whitepaper discussing both the technology and the existing POS malware families. “After merchants swipe credit cards, the data stored on them temporarily resides in plain text in the PoS software’s process memory space in the RAM. PoS RAM scrapers retrieve a list of running processes and load-inspects each process’s memory for card data. They run searches on the process memory space and can retrieve entire sets of Tracks 1 and 2 credit card data.”
HP to buy cloud software startup in rare acquisition
“Hewlett-Packard Co (HPQ.N) plans to buy cloud software startup Eucalyptus Software, a rare acquisition for the company since its failed $11 billion purchase of Britain’s Autonomy Plc in 2011.
“HP did not say how much it will pay for Eucalyptus, which provides open-source software for building private and hybrid clouds, or Internet-based computing services. A source familiar with the deal told Reuters that HP would pay less than $100 million.”
Google acquires online polling firm Polar
A start-up online polling company, Polar, has been acquired by Google (for Google+) for an undisclosed amount. It isn’t clear whether the technology or the people were bought – but it seems likely that Google is really after the design skills rather than the product code of Polar. The acquisition is also taken as a confirmation of Google’s continued commitment to Google +.
Submitted in: News |