Wednesday, 30 October 2013

Adobe admits 38 million customer details stolen by attackers

Adobe Systems logo
Adobe has admitted that details on 38 million active users were compromised in a 'sophisticated' attack on its network, rather than the 2.9 million it claimed were affected in early October.
The number came to light after renowned security research Brian Krebs wrote on his blog that he had seen a data dump on a website called with 150 million usernames and passwords. Adobe later confirmed to Krebs that only a portion of these were active users.
“So far, our investigation has confirmed that the attackers obtained access to Adobe IDs and – what were at the time valid – encrypted passwords for approximately 38 million active users,” an Adobe spokesperson told Krebs.
“We have completed email notification of these users. We also have reset the passwords for all Adobe IDs with valid, encrypted passwords that we believe were involved in the incident – regardless of whether those users are active or not.”
V3 contacted Adobe for direct comment on the revelations but had received no reply at the time of publication.
Krebs helped Adobe uncover and monitor the original attack on its networks. The theft of account details came alongside an attack on Adobe source code of Acrobat, ColdFusion, ColdFusion Builder and other unnamed Adobe products.
Adobe confirmed to Krebs that source code for Photoshop was among some of the other products affected. “Our investigation to date indicates that a portion of Photoshop source code was accessed by the attackers as part of the incident Adobe publicly disclosed on 3 October,” it said.

Vulnerabilities in ColdFusion were also blamed as the root by which a 28-year-old UK man named Lauri Love was able to infiltrate US army systems after he was arrested earlier in October by the UK's National Crime Agency.

PRISM: European officials head to US to discuss phone tapping claims

Capitol Hill in Washington DC
A group of European politicians are headed to the US to talk with senior officials about the ongoing revelations from the PRISM spying scandal.
In particular, the civil liberties commission  will talk in Washington with US officials about recent news that the phones of numerous world leaders have been tapped, including German chancellor Angela Merkel and many Spanish authority officials too.
Head of the delegation, Claude Moraes, a Labour member of the European Parliament, said the mission was vital to get to the bottom of the extent of the spying the US has been engaging in.
“We will have the opportunity to discuss directly with US counterparts the alleged surveillance activities of US authorities and any impact they have in terms of EU citizens fundamental right to privacy," he said.
“A key priority for this inquiry is to gather all relevant information and evidence from US sources, which is why this fact-finding delegation to Washington is so important.”
The US has recently acknowledged the issue has caused tension among European leaders, with the press secretary for president Obama revealing he has spoken with chancellor Merkel about the issue. However, he defended the need to gather data through covert means for national security interests.
"I know that the president has had discussions with chancellor Merkel about that [the spying claims], including yesterday in their phone call.  He’s very understanding of the concerns that have been raised broadly in Germany and elsewhere by these reports," he said.
"There are real threats out there against the American people and against our allies, including Germany, including allies around Europe and around the world.  We also need to balance those security needs against the understandable privacy concerns that we all share."
The allegations around phone tapping are just the latest fallout from the PRISM revelations that began in the summer when Edward Snowden revealed the extent of spying by US and UK authorities. The UK is believed to have gathered vasts amounts of web data under its Tempora programme.

ICO fines East Lincolnshire council £80,000 for unencrypted USB stick blunder

Concept image of broken USB representing a data leak
The Information Commissioner’s Office (ICO) has hit North East Lincolnshire Council with a fine of £80,000 after it admitted losing information regarding children in its care with special educational needs.
According to the council, an unencrypted memory stick went missing on 1 July 2011 after it was left plugged into a laptop at the council’s offices by a special educational needs teacher. The teacher left the laptop unattended and when they returned, the memory stick had gone and has never been recovered.
The USB memory stick contained sensitive data on 286 children who attended local schools, including notes on their mental and physical health problems and teaching requirements. It also included pupils’ dates of birth and some information on home addresses and their domestic arrangements.
The ICO found that although the council had policies in place since April 2011 that made the use of encrypted USB sticks mandatory, it had no policy for checking that this was being followed by staff. It also did not know if the teacher in question had been trained on data protection requirements.
ICO head of enforcement Stephen Eckersley said that the case underlined once more the importance of basic data protection measures such as encryption.
“Organisations must recognise that sensitive personal data stored on laptops, memory sticks and other portable devices must be encrypted,” he said.
“North East Lincolnshire Council failed to do this by delaying the introduction of a policy on encryption for two years and then failing to make sure that staff were following the policy once it was finally implemented.
In response, council chief executive Tony Hunter apologised to those affected and promised improvements would be made. "This data loss should not have happened and we took immediate steps to try to ensure it does not happen again," he said
"It is important to note that since the data loss, we have made major improvements to our policies, training and procedures to prevent another incident like this happening again."
He also noted that a helpline has been set up - 0800 183 0386 - for those concerned to call and set up an appointment to discuss any issues regarding the incident.
Unencrypted data is the bĂȘte noire of the ICO, with the data watchdog making repeated calls to organistaions to ensure all data they hold is adequately protected.

PRISM spy fears must not send firms back to old security models

AMSTERDAM: Businesses' reversion to perimeter-based, privacy-focused security models in the wake of the PRISM revelations is only going to benefit hackers, according to RSA executive chairman Art Coviello.
Coviello said concerns about privacy following the PRISM scandal is hindering firms' ability to deal with next-generation cyber threats, during a keynote at the RSA conference in Amsterdam, attended by V3.
"I want to address a serious complication in our ability to make progress - privacy. Last year I pointed out the danger of an imbalance between privacy and security. There are absolutely legitimate concerns about monitoring networks but this isn't just an academic debate," he said.
"Some of our customers are caught in a catch 22. They are scared to deploy legitimate security to protect their customers' privacy, out of fear they'll break legislation designed to protect their workers' privacy."
The PRISM scandal broke earlier this year when ex-CIA analyst Edward Snowden leaked classified documents to the press proving the National Security Agency (NSA) was collecting vast amounts of web user data from companies like Google, Microsoft, Yahoo and Facebook.
RSA 2013 opening keynote
The scandal led to widespread calls for new, more robust privacy laws. Earlier in October the UK government decided to start accepting public feedback about what legislative changes are needed. Coviello said the trend is troubling as it is leading businesses to revert back to older, ineffective security models.
"Just seven years from the invention of the iPhone we have full mobility and soon with the use of IPv6 we'll have as many as 200 billion devices connected to the internet, many of which will be involved in critical infrastructure," he said.
"These will give our adversaries new avenues of attacks that we ourselves paved. The perimeter model no longer works, traditional security protocols are becoming obsolete."
Coviello said the systems only benefit hackers and will cause untold harm to the world economy if left unchecked.
"Full anonymity is the enemy of privacy. It gives our enemies an anonymous way to misuse our private data with no risk of discovery of prosecution," he said. "Today we live in an era of the global sharing of information and economy is reliant on this sharing of information."
The RSA chief said businesses will need to adopt intelligence-based, holistic security systems to deal with the threats.
"Existing controls are silo based, they can't see outside. Today's controls are like a blind man trying to describe an attack to a security centre. By enabling security controls to let them interact with each other, we're providing them context," he said.
"When we comprehensively understand the normal flow of data across the network we're better equipped to spot even the faintest sign of an attack in an increasingly noisy environment."
Coviello said the systems will also help future-proof businesses against next-generation threats.
"Context is what makes intelligence-based security future proof. These attackers at some point will have to do something noisy, something out of the normal. That's when we spot them and when we stop them," he said.
Coviello said while such systems could be theoretically misused by businesses, the issues can be solved with new information governance laws. "When systems like the ones I've described are applied sensibly and with governance, privacy and security working together, it's the only way privacy can work today given the nature of our interconnected world," he said.
"Where attackers are tearing through our existing security, we need this level of insight. It does have the potential to be misused and we don't want to create big brother, we have to strike a balance [...] It's up to us to ensure we have an informed and open discussion to create the new rules."

Windows XP six times less secure than Windows 8, warns Microsoft

Microsoft Windows XP screen
AMSTERDAM: Systems using Windows XP are six times more likely to fall victim to malware than those running Windows 8, according to Microsoft Trustworthy Computing (TwC) general manager, Mike Reavey.
Reavey said Microsoft spotted the trend while researching its latest The Risks of Running Unsupported Software threat report, during a keynote at the RSA Conference in Amsterdam.
"There are over one billion Windows machines online and we can use them to track malware," he said at the event.
"I'm pleased to say if you look at the infection rate on Windows systems you can see older versions are infected more than newer machines. Windows XP is six times more likely to be infected than Windows 8, even though it has the same malware encounter rate."
The comments are perhaps not surprising as Microsoft attempts to encourage customers to move to its new operating system. However, with less than six months until support for XP officially ends, the warnings are not without merit. So far, though, many users seem happy to stick with XP.
Despite this, Reavey cited Windows 8's lower infection rate as proof its Secure Development Lifecycle (SDL) practices are effective. SDL is a development process started by Microsoft in 2004. It is designed to improve new product security while reducing development costs.
"The downward rate is a sign of secure development practices," he said. "In pretty much every service in Microsoft we have people devoted purely on security, focused on what's going on in the marketplace and what's needed to secure it."
The Microsoft manager urged other businesses to follow its example. "When securing a product you should ask, does your development team talk to your operations team and if they do what do they talk about? Is it something as prescriptive as threat modelling? It should be," he said.RSA 2013 Microsoft
He added, while successful, an SDL strategy on its own is not sufficient to ensure a product is secure. "Regardless of our efforts securing our products and services, I firmly believe as long as there are motivated people out there, if they really want to, they will find a way to infect it," he said.
The Microsoft chief highlighted the notorious Flame malware as proof no system can ever be designed to be 100 percent hacker proof from the start.
"For example, think back to Flame. I was part of the response team that dealt with this when it first emerged. When it first hit, the headlines were pretty inflammatory [...] but it was pretty advanced, and there were a couple of elements to it that are really important," he said.
"If you look at the elements of Flame used for the initial infection it's pretty important. It wasn't a zero-day [...] Flame only worked if it was inside the victim's network. That's because it pretended to be a web proxy to disturb the flow. The second thing is it exploited software issues in Microsoft. Flame looked at how our system did certificates and made it look like it came from Microsoft."
Flame was an espionage-focused malware uncovered targeting Iranian systems in 2012. It had several advanced features that led many security experts to list it as a game changer for the industry.
Reavey said to deal with emerging security issues, businesses should learn from threats like Flame and proactively work to improve their protection. "The lessons learned from Flame aren't unique to Microsoft," he said.
"I hope they haven't had to go through something like Flame, but you shouldn't ignore it and wait to do something. Crises happen, they happen to us, they happen to everyone. The important thing is for you to learn from them."

Symantec to create cross-industry big data cloud hub to fight targeted attacks

Cloud Computing Security
AMSTERDAM: Symantec has pledged to create a centralised information-sharing big data hub to help customers spot and pre-empt top-shelf custom-built malware.
Symantec chief technology officer Stephen Trilling said the company hopes the centre will collect and analyse data from a variety of sources, including customers and competing companies' systems, at a press keynote attended by V3.
"Targeted attackers are very persistent: they take months or years and will find gaps in any security system. Our vision is to help counter this, and that over time all data on these threats will be shared," he said.
"This can be done by storing it in local data stores, but in a perfect world it will be a giant central big data store. This is because the more we can correlate the data, the more we can find attacks we otherwise wouldn't. It's all about scale. The bigger the better."
Trilling argued that the strategy is an essential step as current isolated systems are ill equipped to deal with targeted attacks. "What drove us to this was that we realised the old model was going to fail," he said.
"Recently we found the average breach is discovered after 243 days. That's two thirds of a year. These targeted attack campaigns are not quick. Targeted attacks are about getting in the servers.
"The point of these campaigns is that they're not volume based, they're going for the crown jewels of a specific company. The crown jewels are different things for different companies, but they're usually proprietary, core intellectual property. This is the area of attack that appears to be growing the fastest."
The Symantec chief said the company has already begun working on the project and that many governments and enterprise businesses have expressed an interest.
"It will collect metadata such as an email address, a file hash, URLs or a list of attempted logins. It's all metadata, nothing confidential," he said. "Governments and enterprises are both interested in this because our ability to spot threats will be greater than ever."
Symantec is one of many firms to tote the benefits of a cloud-based security solution when combating advanced threats. HP announced similar plans to create an open attack data-sharing service earlier in the year. The plans have been met with mixed reactions, with many European commentators pointing out the dangers of handing over data to US-based companies in a post-PRISM world.
The NSA PRISM campaign was revealed earlier in the year when whistleblower Edward Snowden leaked documents proving that the agency was using companies such as Facebook, Google and Microsoft to monitor web users.
Trilling moved to counter these concerns, promising that any data used would be anonymised so it would be useless if stolen or siphoned by a hostile intelligence agency. "We don't need to collect any confidential corporate data, we're only collecting technical data about files," he said
"We don't need to collect the content of the email, we just need the information relevant to a targeted attack. We are also looking at ways to provide on-premise databases for companies that may not want to send all the data to a central data store," he said.
Trilling also downplayed concerns that competing vendors would be hesitant to share their data, arguing that many already are actively sharing information.
"For them the benefit is they get to be part of this ecosystem and better protect their customers. It sounds idealistic but there is already a surprising amount of collaboration with competitors to achieve the greater good. A lot of people working in this industry are invested in finding ways to do a better job protecting the cyber ecosystem," he said.
Increasing the sharing of attack data has been a central goal of many governments. Within the UK it has been a key part of the government's ongoing Cyber Security Strategy. The strategy has seen the launch of several data-sharing initiatives, such as the Cyber Security Information Sharing Partnership (CISP), since launching in 2011.

Social media and digital identity. Prevention and incident response

The hack of a social media account is a common incident that could have a serious impact of our digital identity. How to prevent it? What to do in case of hack?

Social media, cloud computing and mobile are technologies that most of all attract cybercriminals due their high penetration, exploiting this channels attackers could access to the huge amount of data belonging to a wide audience. Almost every netizen has one or more social media accounts, and it often have been hacked.
The 2013 Norton Report confirmed that social media are considered a relevant source of problems due risky behaviors of users, 12% of the users revealed that someone has hacked their account. The  report shows that in 39% of cases users don’t log out after each session and 25% share social media credentials and one in three accept request form unknowns.
These risky practices are very dangerous and are considerable as the primary cause of the increment of cyber attacks, on the other side cyber criminals are adopting hacking techniques even more sophisticated.
Cybercrime and cyber espionage are the primary cause of attacks against social media platforms, one of the most blatant was the attack on Facebook against the account of NATO’S most senior commander.
social media security
Hackers could compromise a social media account in various ways, they could use malware, conduct a spear phishing campaign,  compromise a third party application or with other social engineering techniques.
A few hours ago social sharing service Buffer was victim of a cyber attacks that caused the abuse of numerous unaware social network accounts.
I’ve written many articles in the past to explain how to protect our digital exposure on social media managing with care what we disclose on these powerful platforms and how to avoid ugly surprises.
How to discover that a social media account has been compromised and what to?
In some cases it is quite easy to discover that a social media account has been compromised because immediately hackers abuse of it sending out messages to the networks of contacts, in other cases this not happen and the attack is more insidious because attackers could maintain the control of the account for a long time to operate in stealthy mode. The signals that portend an account being compromised are:
  • Unexpected communication from the social network that inform users of operations ever undertaken by the victims such as email address change or change to profile settings (e.g. Picture, privacy settings)
  • Automated likes, follows/un follows or friend requests.
  • Private messages sent to the contact within the victim’s network of contacts.
  • Addition or purchase of new apps and games never requested.
  • Status updates/tweets that user never made
What can you do to avoid being compromised or exploited?
  1. Actively manage your privacy settings
  2. Don’t accept friend requests from random people. Share your data with fewer people, and only those that you really do know. Confirm with your friend via SMS / phone, before accepting online. Actually know the people you are befriending! Follow up any flagged concerns you may have about a friend’s online behavior – they may not be who you think they are, or their account may have been compromised.
  3. Be aware before in the click URL generated by the link shortening tool (e.g., it could be useful to analyze the URL expanding it with tools like LongURL and evaluate if it is a legitimate link.
  4. Think before you click. Never click on suspicious links. Just because they “purportedly” came from a friend or organization you know, does not make them safe. Report any abuse to the network service provider. You will be helping others be safer as well.
  5. Never enter your username/password on a site that is not using the URL of your social network provider.
  6. Always update your browsers and anti-virus to the latest versions as they can protect against phishing and other attacks.
  7. Clear and delete old social network accounts. Over time you stop using accounts for one reason or another. Make sure the social network provider deletes them.
  8. Don’t assume your online correspondence is private. Many accounts have a default setting to ‘share’ (indiscriminately publish) when first created. Anything shared can be saved (and stored forever), copied, and can of course even be indexed by search engines.
  9. Don’t share your location. Turn off broadcast features. Don’t leave notes saying you are on holiday. This is an invitation for criminals to visit your home.
  10. Use with care that authenticating Apps. When a user authenticates an application to his social media account he must be sure of the capability of the third part to manage his social network. An attack against the app could be leave users unprotected. So review with care the application you are trusting on a regular basis and revoke applications you no longer use.
  11. Use unique passwords for each account and never share them across networks.
  12. I suggest to activate two factor authentication if social media provide it. Principal platforms like Facebook, Google+ and Twitter provide it, Facebook and Twitter use 2FA based on SMS while Google uses an application on mobile devices to generate a authentication code.
What to do the account has been compromised?
Following simple recommendations to follow:
  1. Change the password immediately.  It is a wrong habit to share credentials within different web services, be sure to change also the password for all of them.
  2. Scan for malware the infected host to remove the presence of malicious codes.
  3. Review installed apps and remove apps you don’t recognize. In the worst case remove revoke access to all applications and give authorization to them selectively.
  4. Check if the attacker has changed the default email address for the hacked account, if it has been changed restore it.
  5. Notify the hack to your network connections to avoid propagation of the attack.
If the user is not able to perform the password reset procedure the last option is to request the support of social media contact center via email or phone.
Concluding …. be sure to properly protect your social media account, a few simple practices could avoid giving attackers the keys of our digital identity.

New Cybersecurity report now available from Microsoft

SIRv15 Image 1
Trustworthy Computing released volume 15 of the Microsoft Security Intelligence Report, which provides threat intelligence and analysis of cyber threats in over 100 countries and regions worldwide on Tuesday.
“Among the numerous key findings in the new report, one of the more interesting things to surface was the increased risk of using unsupported software,” writes Microsoft Director of Trustworthy Computing Tim Rains in a blog post. “The report found that in the first half of 2013, nearly 17 percent of computers worldwide that run Microsoft real-time security products encountered malware that tried to get on or stay on those systems, but Microsoft anti-malware products blocked this from happening.”
What’s interesting to note is the difference between encountering malware and actually being infected by it. During the first half of 2013, currently supported versions of Windows desktop operating systems (Windows XP, Windows Vista, Windows 7 and Windows 8) all had roughly similar malware encounter rates – between 12 and 20 percent. But Windows XP systems had an infection rate that was six times higher than Windows 8, Rains writes.
Head on over to Microsoft on the Issues for the rest of this story. You can also read this press release over on the Microsoft News Center for more information.

A Malware Classification

At Kaspersky, we take our responsibility to keep you guarded against attacks very seriously, which is why we’re continuously familiarizing you with the latest methods that are out there and the various protection options you have to choose from. With all of the information available to you, we realize it’s sometimes hard to keep all of the different types of malware we’ve introduced you to straight. That’s why we’ve decided to break down some of the most common malware classifications, so there’s no question about what you’re up against.
Virus: Simply speaking, computer viruses are a type of self-replicating program code that are installed onto existing programs without user consent. Their definitions can be broken down much further though, by the type of objects they are infecting, the methods they use to select their hosts, or the techniques used to attack. They can appear in numerous forms as well, ranging anywhere from email attachments to malicious download links on the Internet, and can perform many harmful tasks on your OS. Nowadays viruses are quite rare because cybercriminals look to have more control over malware distribution, otherwise, new samples quickly fall into the hands of antivirus vendors.
Worm: Worms are considered to be a subdivision of viruses since they are also self-replicating programs; however unlike viruses, they do not infect existing files. Instead, worms are installed directly onto their victims’ computers in a single instance of “self standing” code, before finding opportunities to spread or tunnel themselves into other systems through things like the manipulation of vulnerable computer networks. Worms, as with viruses, can also be defined further by breaking down the methods in which they infect, like through email, instant messaging or file sharing.  Some worms exist as standalone files, while others reside in computer memory only.
Trojan: Quite opposite from viruses and worms, Trojans are non-replicating programs that pretend to be legitimate, but are actually designed to carry out harmful actions against their victims. Trojans get their name from acting in the same manner as the infamous Greek Trojan horse, concealing themselves as useful programs while quietly carrying out their actual destructive functions. Since Trojans are not self-replicating, they do not spread by themselves. But thanks to the increased scope of the Internet, it has become very easy for them to reach many users. They’ve also grown to now come in many forms, like Backdoor Trojans (which try to take over remote administration of their victims’ computers) and Trojan Downloaders (which install malicious code).
Ransomware: Ransomware is malware that is designed to extort money from its victims. It can appear as a pop up, phishing link, or malicious website, and once acted on, will trigger a vulnerability in the user’s system, locking out the keyboard and screen, and sometimes even the entire computer. It’s intended to scam people by falsely accusing them of doing things like using pirated software or watching illegal videos, displaying warning pop ups, trying to make them act quickly by saying the warning message will only be removed if a fine is paid.
Rootkit: A rootkit is a special form of malware, designed specifically to hide its presence and actions from both the user and any existing protection software they have installed on their system. It’s able to do this via deep integration with the operating system, sometimes even starting before the operating system does (this variety of rootkit has its own name, bootkits). Sophisticated antivirus software is still able to detect rootkits and get rid of them though.
Backdoor (RAT): A Backdoor, or a Remote Administration Tool, is an application that allows a person (the system administrator or a cybercriminal) access to a computer system without user consent or knowledge. Depending on the RAT functionality, an attacker could install and launch other software, send keystrokes, download or delete files, switch the microphone and/or camera on, or log computer activity and send it back to the attacker.
Downloader:  These infections are small pieces of code that are used to quietly take executable files, or files that command your computer to perform indicated tasks, from the server. Once downloaded, through things like email attachments and malicious images, they communicate back to a command server and are then instructed to download additional malware onto your system.
Familiarizing yourself with existing malware is a great place to start when it comes to keeping your system safe. And you should, of course, always be sure you’re choosing a trusted antivirus to defend against possible attacks.