Posted by Kevin on October 2, 2014.
The ITsecurity daily security briefing: Thursday, October 2, 2014.
If you find this security briefing useful, please spread the word via social media. If you have any comments or recommendations, please email kevtownsend at gmail dot com.
As of yesterday you can now back-up your CDs and play them on different media in the UK
“New measures that will modernise the intellectual property (IP) framework will come into force on 1 October 2014, modernising copyright law and helping designers and patent holders protect their valuable IP…
“This includes changes which will allow people greater freedom to enjoy content they have bought and from 1 October 2014 allow them to make personal copies strictly for their own private use. Prior to this change, it was illegal to copy music from a CD to an MP3 player.”
But there are still restrictions. While you can copy for your own use, you may not copy for a friend. You can create backup copies on personal cloud systems – but giving a friend access to your cloud account becomes problematic.
A consumer guidance document is here.
31 arrests in operation against Bulgarian organised crime network
“Bulgarian and Spanish judicial and law enforcement authorities1, working in close cooperation with Europol’s European Cybercrime Centre (EC3) in The Hague, have dismantled another significant Bulgarian organised crime network suspected of a variety of crimes including large scale ATM skimming, electronic payment fraud and forgery of documents.
“The action day for Operation Imperium on 30 September 2014 resulted in 31 arrests and 40 house searches2. The coordinated action mainly took place in Malaga in Spain and in the three Bulgarian cities of Sofia, Burgas, and Silistra.
“Eight criminal labs, including two very complex modern production sites for skimming equipment and counterfeit documents in Sofia and Malaga, were discovered and dismantled during the raids. More than 1000 devices, micro camera bars, card readers, magnetic strip readers and writers, computers, phones and flash drives, as well as plastic cards ready to be encoded, were seized. Moreover officers found 3D printing equipment to produce fake plastic card slot bezels ready to be installed on the ATMs and manipulated POS terminals. Police officers also confiscated dozens of forged payment cards with records of PIN numbers, ready to be used at other ATMs.”
Vulnerabilities in WordPress!
Cyren started a blog with the headline: Bloggers beware: vulnerabilities in WordPress. But it’s a strange little blog. The company “discovered several compromised WordPress sites, including this one, for a supposed Canadian pharmaceutical site selling Viagra.” It adds, “To prevent a WordPress breach, you should consistently update WordPress itself as well as any active plugins.”
Well, that’s good advice. But in this particular instance, “To find vulnerabilities, hackers look for abandoned or inactive WordPress sites and then search these sites for missing updates…”
I have two problems. Firstly the headline is misleading – it is not talking about vulnerabilities in the current WordPress, but old vulnerabilities that have probably been fixed. And secondly, who’s going to fix an abandoned site?
Smart meter hack
From the blurb of a paper to be presented this month at BlackHat Europe 2014 by Alberto Garcia Illera & Javier Vazquez Vidal:
“We all know that connected devices are uprising, and this enables more overall control over them. But what happens when that control is used against you? How can a device, which is supposed to make your life easier, be used against you? Does it really mean, when you read “AES, Triple DES, RSA, etc…” in a device specification, that it is really secure?
“We will talk about a device that is present in all houses, a smart power meter. This model is being installed in all houses and buildings, and it’s already present in the 65% of the “paella” country. We will show the process necessary to rip off any device, taking the meter as “demo hardware,” and the possibilities that this procedure could bring, including firmware and hardware reverse engineering.”
More details on Dark Reading.
BlackHat Europe Briefings:
ComputerCOP: The Dubious ‘Internet Safety Software’ That Hundreds of Police Agencies Have Distributed to Families
“For years, local law enforcement agencies around the country have told parents that installing ComputerCOPsoftware is the “first step” in protecting their children online…
“As official as it looks, ComputerCOP is actually just spyware, generally bought in bulk from a New York company that appears to do nothing but market this software to local government agencies…”
One of the things that worries EFF is that it includes a keylogger that captures traffic and then transmits the data over the internet unencrypted. “That means many versions of ComputerCOP leave children (and their parents, guests, friends, and anyone using the affected computer) exposed to the same predators, identity thieves, and bullies that police claim the software protects against.”
Why the next Windows is 10 rather than 9
Many have been puzzled over why the Windows version sequence is going to miss a beat and jump from Windows 8 to Windows 10 (a problem, incidentally, for the excellent Windows9Hub website). Now an MS developer has given the probable cause:
Incidentally, it will genuinely be the tenth version of Windows.
Courtesy of a Mikko Hypponen tweet:
New SSD Can Be Destroyed via Code Word Text Message
“Called the Autothysis128, the drive has a built-in GSM radio that allow it to receive text message virtually anywhere in the world (GSM is by far the most ubiquitous cellular radio tech available). The drive can be set up to self-destruct (fragment, not some sort of rad explosion) in several scenarios, including if the GSM signal is blocked by an outside force, the incorrect PIN is entered too many times, or if the tamper-proof case is compromised.
“Most notable is the Token feature, which pairs the Autothysis128 with a physical security fob. The fob, charged by USB 2.0, can send a text to the SSD; if the right code word is sent to the drive? All data is permanently destroyed via fragmentation. You can also pair the drive with two fobs, keeping one at each end of a drive transfer. If your hired courier is jacked by the local Yakuza gang? Your data remains safe.”
Interpol opens Singapore center to fight cyber crime
“Interpol, the world’s largest police organization, is opening a center in Singapore focused on fighting cyber crime, which many countries, it says, are poorly equipped to contain.
“Cyber crime is increasingly conducted by a highly specialized chain of software break-in experts, underground market-makers and fraudsters who convert stolen passwords and identities into financial gains. Criminals can keep data for months or even years before using it to defraud victims…
“Interpol will employ around 200 people at the Singapore center and host a digital forensic laboratory to co-ordinate investigations.”
Fake email Delta Airlines or American Airlines with ticket details contains trojan
“MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email targeting Delta Airlines and American Airlines customers with attached ticket details.” The email claims to provide an airline ticker as an attachment, and that “To use your ticket you should print it.”
It’s all fake. The attached zip file contains a trojan.