Posted by Kevin on October 9, 2014.
The ITsecurity daily security briefing: Thursday, October 9, 2014.
If you find this security briefing useful, please spread the word via social media. If you have any comments or recommendations, please email kevtownsend at gmail dot com.
More than 30 police forces refuse to reveal uses of RIPA against journalists – with 11 citing national security
“More than 25 police forces across the UK have declined to disclose details on whether the Regulation of Investigatory Powers Act (RIPA) has been used by them to obtain journalists’ telephone records. (Stock image, Reuters)
“While 20 forces have rejected Press Gazette’s Freedom of Information request on cost grounds – with many saying the information is not easily “retrievable” – 11 have cited the ‘risk of undermining national security’.
“However, the Interception of Communications Commissioner, Sir Paul Kennedy, said yesterday that he has written to all chief constables ordering them to provide full details of use of RIPA powers to identify journalistic sources.”
British cops want even MORE surveillance powers
“Britons must accept a greater loss of digital freedoms in return for greater safety from serious criminals and terrorists in the internet age, according to the country’s top law enforcement officer.
“Keith Bristow, director general of the National Crime Agency, said in an interview with the Guardian that it would be necessary to win public consent for new powers to monitor data about emails and phone calls.
“Warning that the biggest threats to public safety are migrating to the internet and that crime fighters are scrambling to keep up, the NCA boss said he accepted he had not done a good enough job explaining to the public why the greater powers were necessary.”
Apple Is Slowly Killing Everything We Love
Apple seems to be closing the ‘date trick’ gate that fuels the emulator community. Dario Sepulveda wrote at the end of last month: “iOS 8.1 beta was seeded to developers yesterday and it’s already causing panic among some iOS emulator aficionados. It was reported to me almost immediately by a source that the date trick wasn’t helping at all in installing GBA4iOS 2.0 – that’s when worry started to set in and I decided to investigate… It is still unconfirmed whether this a permanent thing come next beta update, but it all seems to spell one thing: Apple is slowly killing everything we love.”
Now he has added an update: “iOS 8.1 Beta 2 is out and I can confirm that it continues to block the date trick for emulator installations. Well, I guess this is it, guys!”
Fidelity Investments was one of the JPMorgan +12 attacked financials
It’s like getting blood out of a stone. We are repeatedly told that JPM was not the only financial attacked, but that a total 13 financials were targeted. Now at last we seem to know one of them: Fidelity Investments.
“Fidelity Investments was among 13 financial institutions attacked by hackers who are believed to have been responsible for a breach at JPMorgan Chase, but there is no indication that Fidelity customer data were stolen, the Financial Times reported on Thursday.
“When contacted by Reuters, Fidelity spokesman Vincent Loporchio said in an email, ‘We have no indication that any Fidelity customer sites, accounts, information, services or systems were affected by this matter.'”
Latest AV-test results are out
The good news is that more products are achieving 100% test results. The bad news is that Microsoft’s anti-virus remains rooted at the bottom.
While several firms achieved the 100% mark, and the industry average was 96% and 98%, Microsoft Essentials scored only 76% detection for 0-days, and 79% for widespread malware.
The backlash against NSA and GCHQ spying continues
“China’s military forces will ramp up their cyber security and speed domestic development of software, the country’s state media said in a statement yesterday.
“The plan underscores China’s increasingly vocal concern that the internet is dominated by Western powers and values.
“‘Information security must be considered an underlying project in military battle preparedness,” the official People’s Liberation Army Daily said.
“‘We will strongly advance the domestic and independent building of programs, and strengthen the foundations of our information security,’ it added.
“President Xi Jinping, who also heads the military, heads the government’s body for internet security which aims to turn China into a ‘cyber power’.
“Foreign technology companies in China face challenges from a sharp decrease in sales linked to increased awareness of cyber security and the role of the US government in cyber espionage.”
US Spy Programs May Break the Internet if Not Reformed
At a panel discussion organized by lawmaker Ron Wyden, top tech leaders condemned the government attitude to NSA spying.
Microsoft General Counsel Brad Smith said: “If you’re a consumer or a company, you own your email, your text messages, your photos and all the content that you create. Even when you put your content in our data centers or on devices that we make, you still own it and you are entitled to the legal protection under our Constitution and our laws. We will not rebuild trust until our government recognizes that fundamental principle.”
Google’s Eric Scmidt warned, “the simplest outcome is we’re going to end up breaking the internet.” Governments, he said, will eventually just say, “we want our own internet…and we don’t want other people in it.”
Ramsey Homsany of Dropbox “noted that the burden of regaining trust shouldn’t lay just with companies; the government needs to lead and repair the trust that’s been damaged ‘to show the world that we are a country that respects these values,’ he said. ‘We have built this incredible economic engine in this region of the country . . . and trust is the one thing that starts to rot it from the inside out. I think it is really that serious. We need to see the government also starting to do its part.’”
Sir Tim Berners-Lee speaks out on data ownership
“The data we create about ourselves should be owned by each of us, not by the large companies that harvest it, the Tim Berners-Lee, the inventor of the world wide web, said today.
“Berners-Lee told the IPExpo Europe in London’s Excel Centre that the potential of big data will be wasted as its current owners use it to serve ever more ‘queasy’ targeted advertising.
“By gaining access to their own data, people could use it with information about themselves from other sources in order to create ‘rich data’ – a far more valuable commodity than mere ‘big data’, he said.”
Web Application Attack Report #5
Imperva has published the latest edition of its web application attack report, full, as usual, of facts and figures. Here’s one comment from the report: “WordPress has been in the headlines, in the past couple of years, both because of its popularity, and because of the amount of vulnerabilities found in its application and exposed by hackers.” But this is just a tad misleading. It’s not strictly the WordPress application that contains all of these vulnerabilities, but the third party plugins. So WordPress sites are attacked (via the plugins) rather than WordPress itself. The latest WordPress straight out of the box and installed with no plugins is actually relatively secure.
Vodafone phishing scam
A current phishing scam is being send to thousands of potential Vodafone customers. The lure is simple: “You have one unread Message on your Online Vodafone Account. VIEW YOUR MESSAGE”
“If you were tricked into clicking the link in the fake email message and have entered your username and password for your Vodafone account on the fake Vodafone website that you were taken to, please change your Vodafone password immediately.”
Online Threat Alerts: