Saturday, 30 November 2013

The Following Information Security Counter Arguments are Invalid

After bringing attention to the inability to terminate a session in some popular open source web application frameworks, many of the counterarguments fell into the following bins:
  1. We already knew about this
    Why is it still an issue? Too few people know about it; other developers, even users need to be informed and heard from.
  2. Developers already know about this
    They don’t, or they don’t care. They’re busy, rushed, and becoming an expert in your open source project is a lower priority than using it to accomplish whatever they’re being paid to deliver. Burying or omitting shortcomings in your project’s design only delays discovering them–the later: the worse, the angrier.
  3. Additional configuration is required to fully protect against this
    These additional protections are not being deployed. They also don’t provide 100% CYA.
  4. The issue isn’t sexy
    Basic issues are still issues. Basic issues that continue to exist are just embarrassing. Focusing on sexy helps no one.
We’re getting nowhere fast with this attitude.
Separately, there’s disagreement over this issue specifically and if it’s even a vulnerability. Well, the OWASP Top Ten will remain unchanged if we can’t even agree on whether this is a feature or a weakness.

Most big businesses “still failing” to recognize cyber risks, survey finds

A survey of top businesses in the UK found that 86% of the largest firms traded on the London stock exchange do not even consider cyber risks when making decisions.
The survey found that just 14% of FTSE 350 firms even took cyber risks into account at board level, according to a survey from the Department for Business, Innovation & Skills. Only a quarter of those surveyed see cybersecurity as a top priority.
The news follows a warning from professional services firm KPMG that large British businesses regularly risk sensitive information such as email addresses by sharing documents online, according to PC Pro.
Despite this, 62% of companies think their board members are taking the cyber risk very seriously. Many board members receive no intelligence at all about cybercrime, the report said.
David Willetts, Science Minister, said: “The cyber crime threat facing UK companies is increasing. Many are already taking this extremely seriously, but more still needs to be done.We are working with businesses to encourage them to make cyber security a board-level responsibility.”
Information Age reported that the same government department had published a report in April, showing that 93% of large firms had fallen victim to a breach in the past year. Several of these breaches cost the companies millions, Information Age reported.
The UK government is now attempting to establish a standard for cyber security – backed by the country’s new National Cyber Security Program. Other departments have been even more vocal on the issue.
Earlier this year, the head of British intelligence agency GCHQ (Government Communications Headquarters) said that mainstream media reports offered a mere “snapshot” of cybercrime, as reported by We Live Security here.
“Cyberspace is contested every day, every hour, every minute, every second,” said Sir Iain Lobban, Director of GCHQ. Sir Iain said that although cyber attacks are now reported frequently in the media, the reports still fail to capture the scope of cybercrime.
“GCHQ’s cutting-edge technology adds a unique perspective on the issue, illuminating the threats in cyberspace. And I have to say that the incidents I see described in the media are just a snapshot of what is going on,” he wrote.
“On average, 33,000 malicious emails a month are blocked at the gateway to the Government Secure Intranet – they contain sophisticated malware, often sent by highly capable cyber criminals or by state-sponsored groups. And a far greater number of e-mails, comprising less sophisticated malicious e-mails and spam, is blocked each month.”

How do we protect kids from online predators?

The Internet is a vast source of information for all of us, and naturally some people use that information for good, and some for ill, like grooming and stalking children. So what things can you as a parent, teacher, or other concerned adult do to protect kids against online predators and solicitation? This is not intended to be an exhaustive guide, but to start a conversation where we can share comments and information.
I recently wrote about privacy and domestic violence survivors and one of the first things that struck me was how much of the advice out there was woefully outdated. For example, at this point I’m not sure how much use it is to tell people how to safely interact with AOL chat rooms. Likewise, a lot of the information about protecting children from online predators is from another Internet-era, before we were all carrying the Internet with GPS and hi-definition audio/video capabilities, in our pockets.
In searching for statistics, what I found (that wasn’t from a bygone era) was that online predators tend to glean a lot of information from social networking sites:
  • In 82% of online sex crimes against minors, the offender used the victim’s social networking site to gain information about the victim’s likes and dislikes.
  • 65% of online sex offenders used the victim’s social networking site to gain home and school information about the victim
But the specific means of gleaning information is less important than the prolific yet largely unwitting sharing of information with strangers. Predators may seek out children who are participating in attention-seeking behaviors as a way of finding connections with others. Sadly, these kids seeking connection are generally the ones least apt to have a concerned adult that they will feel to whom they feel they can turn, to report solicitation. These targeted kids may also not wish to report the behavior, as they may simply be glad for the interest and may naturally be naïve about the nature of the attention.

Understanding Online Solicitation

The following list from Microsoft describes the actions of online predators:
  • Find kids through social networking, blogs, chat rooms, instant messaging, email, discussion boards, and other websites.
  • Seduce their targets through attention, affection, kindness, and even gifts.
  • Know the latest music and hobbies likely to interest kids.
  • Listen to and sympathize with kids’ problems.
  • Try to ease young people’s inhibitions by gradually introducing sexual content into their conversations or by showing them sexually explicit material.
  • Might also evaluate the kids they meet online for future face-to-face contact.
Out of context, this starts out sounding like friendly behavior. But clearly there is a very unhealthy progression. In essence, this behavior is like long-term social engineering, because it is done with harmful intent. Solicitation preys on innocent, trusting people in order to get something that they would not freely give otherwise.

Protecting Children On- and Off-line

Tips for reducing the risk of children being victimized generally center around monitoring and controlling their access to the Internet in an age-appropriate way. But as this article from the San Diego Police Foundation points out, not all solicitation happens online, so more needs to be done to prepare kids to recognize the signs. It is essential to make sure that kids know from an early age what is appropriate information to share with others, even people who appear to be friends (as this is what predators make themselves out to be).
Establish rules about when it is okay to:
  • Send or post photos
  • Give contact or identifying information for themselves or family members
Let kids know it is best to:
  • Socialize online only with kids they know in real life
  • Avoid personal discussions with strangers online, especially conversations involving sex, violence, and illegal activities
As older kids become eligible for social networking sites, they may wish to meet in person some people that they have met online. It is important that a parent or guardian accompanies the teen to any first meeting, to determine whether the situation is safe and age-appropriate.
The idea of establishing rules is not to make a child fearful of strangers, but to instill in them an ability to scrutinize communications in a way that comes from a healthy sense of self-worth. There is a saying that is popular in the security industry: “Trust, but verify”. This means not blindly accepting someone’s words at face value, but doing additional research to determine if a communication is trustworthy.

Parental concern versus independence

Good parenting (or mentoring) is about finding that balance between providing children with the tools to become independent adults, and spending enough time with them that they feel loved and protected. When children are younger, you can safely lean towards being overprotective, until they can understand and internalize the reasons for the rules. Adults are targeted by confidence schemes and scams too, so learning to avoid them and protect their privacy will serve them throughout their lifetime.
Perhaps the most important thing you can do to protect kids from online predators is to establish a good rapport and open lines of communication with them. Social engineering relies on creating a strong feeling either of fear or of trust. If a child feels they can discuss their experiences with a trusted adult, without concern for punishment or judgment, they can verify whether questionable online communications are scams or solicitation. It is important to remember that even if children respond positively to online predators, they are still the victims in the same way that anyone who has fallen for a scam is a victim.

Communication and Curiosity

The FBI provides a guide for parents, which includes a considerable amount of additional information for parents about how to recognize when a child may be at risk for solicitation, and what to do if you suspect your child has been targeted. They also provide the following list of tips for how to improve communication with children about their online activities:
  • Communicate, and talk to your child about sexual victimization and potential on-line danger.
  • Spend time with your children on-line. Have them teach you about their favorite on-line destinations.
  • Keep the computer in a common room in the house, not in your child’s bedroom. It is much more difficult for a computer-sex offender to communicate with a child when the computer screen is visible to a parent or another member of the household.
The general idea here is not to come from a place of accusing children, or scaring them about potential dangers. If you approach your child’s online activities with a sense of curiosity and interest, you can potentially see a problem before it becomes genuinely dangerous.
Children are naturally curious, and the Internet can be a great way for them to learn and explore, given reasonable boundaries to guide them. With proper adult guidance, they can gain the confidence to protect themselves throughout all their online and offline endeavors.
Here are some additional resources, should you wish to read more on the subject:

Filecoder epidemic goes global as Australians among “millions” of victims worldwide

Filecoder, an unpleasant and virulent strain of ransomware detected by ESET in large numbers of machines in Russia in September is now spreading globally, with experts estimating that the gang behind it must be earning “millions”.
Part of the reason for their success is the surge in the value of cryptocurrency Bitcoin, which broke the $1,000 barrier for the first time this week, according to Forbes’ report. Filecoder encrypts a user’s files, then demands a ransom in Bitcoin.
The malware – also known as Cryptolocker – is spreading fast, and widely. The U.S. government has issued an official warning that it appears to be targeting small businesses, and PC Advisor says it is now widespread in Australia. It’s often spread via email, and the gang customize these for new territories – for instance, in Britain, Companies House has warned businesses to be wary of phishing emails.
ESET malware researcher Robert Lipovsky reported a resurgence of the ransomware in late September, which encrypts users’ files with near-unbreakable AES encryption, with a 72-hour countdown after which files are “locked away” forever.
At the time, Lipovsky says, the malware largely affected users in Russia, with other victims in Spain and Italy. The malware spread via drive-by downloads from infected sites, and via email, Lipovsky says.
Since then, government warnings from the U.S. Computer Emergency Response Team, and the UK’s Britain’s National Cyber Crime Unit, which warned that tens of millions of computer users are at risk due to a “mass spamming event.”
The malware, identified by ESET as Win32/Filecoder BT, is transmitted via emails that appear to come from banks and financial institutions, the National Cyber Crime Unit warns.
“The emails may be sent out to tens of millions of UK customers, but appear to be targeting small and medium businesses in particular. This spamming event is assessed as a significant risk,” the NCU warned, as reported by We Live Security here.
CNN Money has warned that the malware is a particular risk to small businesses, who may have a small number of machines – and thus more data on each, and few IT staff.
Security reporter Brian Krebs describes the malware outbreak as a “diabolical twist on an old scam,” pointing out how quickly the malware has adapted as it has spread. To begin with, users could only pay in Bitcoin or Moneypak – both of which are complicated to use – so the unknown attackers created a method to pay without using these.
PC Authority said that on 1 November, a variant of the Trojan allowed users to recover “past deadline” by paying an even bigger sum – 10 bitcoins, or $3,000
New versions of the malware have also dropped the ransom price in response to Bitcoin’s surging value – and one, according to Krebs, even offfers users a second chance, “Newer versions change the desktop background to include a URL where the user can download the infection again and pay the ransom.”
Victims, government agencies and security experts agree on one thing – it’s unwise to pay up. In many cases, your files will remain locked anyway.
ESET researcher Robert Lipovsky says that the best defence is simply not to keep important data on one machine, and to back up regularly. If infected, switch off and disconnect immediately, and contact an IT professional. Lipovsky warns, “In most cases, recovering the encrypted files without the encryption key is nearly impossible.”.
“There are, however, at least two “fortunate points” about this malware: It’s visible, not hidden, the user knows he’s infected – unlike many other malware types that could be stealing money/data silently (of course, that doesn’t mean that he’s not infected with something else together with the filecoder!)”

YouTube comment channels now even angrier after ‘forced marriage’ to Google Plus

YouTube comments channels are widely known as a toxic and hostile environment – but Google had admitted that YouTube’s recent integration with Google Plus has made things even worse.
YouTube’s comment channel was integrated with Google accounts, and in particular with public Google Plus profiles, in an attempt, according to The Register’s report, to de-anonymize users and promote civil conversations.
In an offical post this week, Google said, “While the new system dealt with many spam issues that had plagued YouTube comments in the past, it also introduced new opportunities for abuse and shortly after the launch, we saw some users taking advantage of them.”
The search giant pointed out that the new system had led to an increase in extremely long comments, spam and ‘ASCII art’, where users draw pictures using keyboard characters. Such artworks are often obscene, as The Register points out.
“The integration of YouTube comments with Google Plus has led to a new wave of obscene comment spam and more junk, Google has admitted.What’s happened in the weeks since the change is that the flame wars in YouTube comments have continued while spam has arguably gotten worse,” the site’s report said.
Popular and prolific channels such as gamer Pew Pew Die Die’s turned off comments altogether, as reported by Graham Cluley, “Turning comments off until they are working properly,” Pew Pew Die Die wrote.
Cluley comments, “Clearly Google has no intention to listen to those petitioning against Google+ being the basis of YouTube comments, ASCII art or no ASCII art.Let’s hope that Google manages to police malicious and spammy links better, or it may become riskier than ever watching YouTube videos.”
The search giant said, “We’re moving forward with more improvements to help you manage comments on your videos better. Bulk moderation has been a long standing creator request and we’ll be releasing tools for that soon. At the same time, we’re also working on improving comment ranking and moderation of old-style comments.”
ESET Senior Research Fellow David Harley offers a glimpse into how comments on We Live Security work – and the problems that arise for those dealing with them, in a detailed blog post here.

Kickstarter, Urbanspoon and Warner Bros among 2,000 sites at risk from “impersonators”

Major websites such as Kickstarter, and the online photography community are among 2,000 at risk from a vulnerability that could allow attackers to impersonate real users and access their sites, according to a researcher.
The vulnerability affects sites using Ruby on Rails, a popular open-source web development framework, built, it claims, for “programmer happiness”.
The researcher who initially uncovered the vulnerability has published a list of affected websites this week, including the major names mentioned above, and other popular sites and apps such as My Fitness Pall. The full list is published here  on Maverick Blogging.
Researcher G S McNamara has offered to help development teams with the issue, which affects older versions of Ruby on Rails – and has notified sites including KickStarter. McNamara is continuing to research the issue.
The weakness was first uncovered in September, The Register reports, and theoretically allows attackers to impersonate users who have previously logged in.
The problem was uncovered by researcher G S MacNamamara, and is due to the web app’s failure to delete users’ details, stored as cookies, when they leave. MacNamara says, “a malicious user could use the stolen cookie from any authenticated request by the user to log in as them at any point in the future. When a user logs out what happens is not what you would expect. The previous cookie is still valid.”
McNamara describes this as “logout” being “broken by default”, and says that users who fail to lot out of a site when they leave would face particular difficulties. He recommends users change passwords, or admins change the application. The vulnerability is no longer present in Rails versions 4.0 and later.
Threatpost commented that, “As you can imagine, when a user is working on an untrusted network connection or is sharing a computer with someone else, it makes their session extremely vulnerable.”

Cash – or crash? Tips and tricks for using Bitcoin safely

Within the last few days, two sites hosting online wallets for the cryptocurrency Bitcoin were targeted by hackers – the ‘heists’ netted more than $1 million each.
Oddly, though, this has not adversely affected the value of the cryptocurrency, which seems to thrive on publicity, whether positive or negative.
Despite the heists, plus high-profile law-enforcement actions against ‘dark market’ sites such as Silk Road, which conducted transactions in Bitcoin, the currency is now valued at $919 per coin, it’s highest-ever valuation.
Earlier this year, ESET detected new variants malware that attempted to steal Bitcoins, mine Bitcoins illegally, or break into wallets. Malware targeting other similar currencies such as Litecoin. An in-depth analysis of these by ESET researcher Robert Lipovsky is here.
We Live Security spoke to  James Andrews, Finance Editor at Yahoo UK, for a perspective on the currency from outside the world of technology.
“Nothing in finance is truly safe,” Andrews said. “Real currencies collapse, but the Bitcoin is less safe than most. It’s been called the world’s most perfect speculative material, which is fair. It has absolutely no value or use bar it’s rarity. If people stop valuing that it’s entirely worthless more or less instantly. Equally, though, prices might just keep rising and rising and rising – as more people buy into the idea and demand rises.”
On Twitter, an image showing the enormous rise and sudden collapse in prices of Dutch Tulips during the brief craze when the bulbs were first introduced in 1637 has circulated.
Could the same happen to Bitcoin? Perhaps – but there are steps you can take to keep your Bitcoins safer than most.
If your wallet’s stolen, act fast
If your Bitcoin wallet HAS been stolen, it’s not quite as easy for the attacker as stealing a real wallet – he or she has to move the currency out of it. If you’re lucky, and fast, this can sometimes save your coins. ESET malware researcher Robert Lipovsky says, “When the Bitcoin wallet is stolen from the victim, the attacker will have to “spend” the Bitcoins in it – by either adding them to his own wallet, purchasing something, etc.”
“The only way to get away without losing the money is if the victim is lucky enough to “spend” the Bitcoins (purchase something or import them to a new wallet) before the attacker does. Obviously, the chances of that are pretty slim.”
Keep your PC clean if you’re dabbling in Bitcoin
Cybercriminals love Bitcoin. ESET Malware Researcher Robert Lipovsky wrote in an earlier We Live Security post that Bitcoin and other crypto-currencies are being targeted by cybercriminals. “There are numerous malware families today that either perform Bitcoin mining or directly steal the contents of victims’ Bitcoin wallets, or both,” Lipovsky writes. “Keep your computer clean and uncompromised by “thinking before you click” and keeping your system, applications and anti-virus up-to-date.”
Encrypt your wallet
Despite Bitcoin’s own beautiful illustrations of glittery coins, what you’re dealing with are numbers – long encryption keys. To stay safe, you just have to ensure no one else ever has access to these. ESET’s Robert Lipovsky says, “There are several important rules to keep  Bitcoins safe. The key words here are: back up and encrypt. Bitcoin provides a way to encrypt wallets, and this would make it much more difficult for the attacker to get his hands on the Bitcoins.” Clever Bitcoin users will encrypt all their wallets – although this slows performance – and have several for different uses. Very small amounts of money
Don’t keep all your eggs in one basket – or your Bitcoin in one wallet
Bitcoin is a special case – if you’re worried a site breach or Trojan attack may have put your hoard within reach, don’t just change passwords, even if your wallet is encrypted. Make a new one, and move your coins to it (with a new, strong password). Lipovsky says that the Bitcoin foundation’s own advice is excellent, “If a wallet or an encrypted wallet’s password has been compromised, it is wise to create a new wallet and transfer the full balance of bitcoins to addresses contained only in the newly created wallet.”
Most finance experts advise – don’t put your life savings in Bitcoin
Yahoo’s Andrews says that the soaring price of Bitcoin isn’t a signal to invest: “If you’ve made a profit on Bitcoins you already own, well done.  There’s simply no way to know whether their prices will keep rising, stabilise or collapse. And there are a lot of risks – everything from them being hacked, your e-wallet being hacked, someone successfully forging them or Bitcoins being made illegal.”
If you must store Bitcoins online, don’t store large amounts
Online Bitcoin wallets are not designed to work like bank accounts – they’re convenient, as you can access them from anywhere – but they’re a prime target for cybercriminals. An attack on Bitcoin site BIPS targeted web wallets. CEO Kris Henrikson said, ““Web Wallets are like a regular wallet that you carry cash in and not meant to keep large amounts in,” after his site was robbed of $1.2 million in Bitcoin.  Bitcoin says, tactfully, “Online wallets have a number of pros and cons.” After Bitcoin site was hacked, and $1.2 million stolen, its founder said, “I don’t recommend storing any bitcoins accessible on computers connected to the internet.”
Mobiles and Bitcoins don’t mix
Various Android apps offer ways to carry Bitcoins with you – but again, these come with their own risks. Earlier this year, a flaw in Android rendered ALL Bitcoin wallets unsafe – although it was rapidly patched – and apps which allow transfer via NFC add additional risks, particularly if a device is lost. “Mobile wallet applications are available for Android devices that allow you to send bitcoins by QR code or NFC, but this opens up the possibility of loss if mobile device is compromised. It is not advisable to store a large amount of bitcoins there.”
Keep your fortune in “cold storage”
If you’re serious about Bitcoin, the security procedures are long and complex – even Bitcoin admits that setting up an offline wallet, stored on CDs and USB sticks is “tedious” and “not user friendly”. A good guide to how to do this is here – and it may also provide an illustration of why mainstream PC users might want to consider sticking to good old US dollars. Bitcoin says, “Because bitcoins are stored directly on your computer and because they are real money, the motivation for sophisticated and targeted attacks against your system is higher than in the pre-bitcoin era.” Bitcoin’s own procedure for creating an “offline” wallet, which never contacts the internet in plaintext form, is here. This procedure is also known as creating an “air gap” or “cold storage”. Followed correctly, it provides protection from malware and cyberattacks – although not, of course, from traditional crimes such as extortion.
Still worried? Store them on paper
One safe – if extreme – way of ensuring Bitcoins don’t fall into the hands of hackers is to store them on paper. Bitcoin says, “When generated securely and stored on paper, or other offline storage media, a paper wallet decreases the chances of your bitcoins being stolen by hackers, or computer viruses.With each entry on a paper wallet, you are securing a sequence of secret numbers that is used to prove your right to spend the bitcoinsThis secret number, called a private key, most commonly written as a sequence of fifty-one alphanumeric characters, beginning with a ’5′.” Be sure, though, your PC is clean before you print – the free software used to generate codes has been targeted by cybercriminals. Run a complete scan of your machine first, then keep AV software running as you print out.

Online shoppers warned of scam websites in Black Friday and Christmas frenzy

The UK government has warned bargain hunters to be extra vigilant when searching for deals online this Black Friday and in the run-up to Christmas, confirming that cyber criminals netted more than £12m online during the same period last year.
The UK government issued the warning on Thursday, also revealing that its Action Fraud hotline received more than 10,000 reports about active cyber scams last year. Each scam reportedly earned the criminals an average of £1,700 per victim.
Dave Clark, detective chief superintendent of the National Fraud Intelligence Bureau, highlighted scams masquerading as deals on technology products, like the Apple iPhone and iPad, as being particularly problematic.
"Online shopping has revolutionised the way we buy our Christmas presents, with each year more and more people choosing to search for gifts over the internet rather than heading to the shops. However, the result is that online fraud is top of the festive scam list," he said.
"To reverse this trend we all need to be extra careful about what we're buying online and from whom, especially if it is popular technology at a reduced price. By carrying out all the necessary checks you should guarantee that your presents will be enjoyed by friends and family and not lost to fraudsters."
Security minister James Brokenshire said the government has already taken affirmative steps to prevent online fraud, and is working with the newly created National Crime Agency's (NCA) National Cyber Crime Unit to find and block scams.
"We are taking the fight to cyber criminals with the newly created National Cyber Crime Unit, but the public should also stay vigilant to ensure they don't lose their hard-earned money on fakes and frauds. Following straightforward steps while shopping online will help the public to avoid cyber fraudsters," he said.
"Shoppers can find great bargains online ahead of Christmas and this time of year provides a welcome boost to retailers. But shoppers should remember if something looks too good to be true it often is."
Fighting cybercrime has been an ongoing goal of the UK government since it launched its Cyber Security Strategy in 2011. The Strategy has seen the government mount several cybercrime-fighting initiatives including the creation of the NCA's Cyber Crime Unit earlier this year. In October the NCA announced plans to recruit and train 400 new specialist cybercrime fighters by the end of 2014.

Google breaches Dutch data privacy laws, says watchdog

Google Logo
Google's handling of its users' data has been found to be in breach of Dutch privacy laws, following an investigation from the country's privacy watchdog.
Following a seven-month investigation, the Dutch Data Protection Authority (DPA) has asked Google to attend a meeting to discuss its concerns, which relate to the way Google handles user data across its services.
The DPA explained in its report that Google utilises customer data from one service and applies it to another, and does not clearly enough explain to users how it does so. "Google does not adequately inform users about the combining of their personal data from all these different services," a DPA statement read.
"On top of that, Google does not offer users any (prior) options to consent to or reject the examined data processing activities. The consent, required by law, for the combining of personal data from different Google services cannot be obtained by accepting general (privacy) terms of service."
In a statement seen by Reuters, Google responded: "Our privacy policy respects European law and allows us to create simpler, more effective services. We have engaged fully with the Dutch DPA throughout this process and will continue to do so going forward."
Google has found itself in hot water with data protection authorities before, most recently with its Gmail service. In a court filing following complaints from US rights group Consumer Watchdog about the firm's use of advertising based on the contents of users' emails, Google said users should not expect total email privacy.
"Just as a sender of a letter to a business colleague cannot be surprised that the recipient's assistant opens the letter, people who use web-based email today cannot be surprised if their emails are processed by the recipient's [email provider] in the course of delivery," the statement said.
Microsoft, meanwhile, has turned to poking fun at Google and its perceived privacy failings with its "Scroogled" campaign. The firm produces regular videos on the topic and has even created a range of Scroogled merchandise in time for Christmas.

UK banks hit by cyber attacks, Bank of England reveals

Several UK banks have been hit by cyber attacks that have led to financial losses over the past six months. The Bank of England revealed the startling insight in its latest Financial Stability Report.
The document – which outlines the various issues facing the financial sector in the UK – cites cyber security as a growing area of concern and revealed that several institutions have been affected.
“Cyber attack has continued to threaten to disrupt the financial system. In the past six months, several UK banks and financial market infrastructures have experienced cyber attacks, some of which have disrupted services,” it said.
“While losses have been small relative to UK banks’ operational risk capital requirements, they have revealed vulnerabilities. If these vulnerabilities were exploited to disrupt services, then the cost to the financial system could be significant and borne by a large number of institutions.”
The report went on to warn that the financial market is particularly open to a widespread incident, given its interrelated nature.
“The financial system has a number of potential vulnerabilities to cyber attack, reflecting its high degree of interconnectedness, its reliance on centralised 
market infrastructure, and its sometimes complex legacy IT systems,” it said.
In order to try and combat this threat the Treasury, government agencies and financial authorities are working together to draw up an action plan to “assess, test, and improve cyber resilience across core parts of the financial sector."
This work includes the recent operation, dubbed Waking Shark II, which was designed to test how the market would react to a major cyber incident. A report into the outcome of the drill will be published in early 2014, the Bank of England said in its report.
V3 contacted the Bank of England for more information on the attacks but was told no more information would be made public.
The revelations underline the extent of the cyber threat to the UK as crooks and state actors continue to use digital attacks to steal data and financial information and try to disrupt business.
Chris McIntosh, the chief executive of security firm ViaSat UK, said it was not surprising that cyber incidents were on the up, and banks need to react to the trend immediately.
“The financial sector is a lucrative target for state-sponsored and organised crime, and this goes well above and beyond individual branches,” he said.
“Rather than waiting for the next data breach to occur, the UK’s banks need to realise that they have likely already been compromised and need to work back on this basis.”
The revelations come during the same week that the government issued a report saying some of the UK’s top businesses need to improve their cyber security policies as the threat from cyber attacks rises all the time.

EC tells US to regain trust on data protection after PRISM scandal

The European Commission (EC) has called upon the US to undertake several steps in order to restore trust following the revelations of wholesale data snooping sparked by PRISM whistleblower Edward Snowden.
The EC says the rules of "safe harbour" – the regulations which place US companies handling EU citizen data under the same data protection rules as European firms – are not working as intended, and therefore need to be made more stringent. It discussed scrapping safe harbour altogether if US businesses failed to comply, although this would be a last resort.
Safe harbour is a form of regulation that invariably affects cloud computing providers as data is often hosted outside the country in which the customer is based. The EC has found that there are too many weaknesses in the rules, coming to the conclusion that US businesses not conforming to safe harbour are gaining an unfair advantage above the EU businesses that are.
Elsewhere, the EC called upon EU-US co-operation on data transfers for law enforcement operations, requesting a speedy conclusion to ongoing talks on an "umbrella agreement".
It also asked the US to take into account EU citizens when it reforms its own national security practices. This follows the National Security Agency's (NSA) widespread tapping of European internet traffic, which seemingly disregarded any borders and laws.
EU justice commissioner Viviane Reding said the EC had a responsibility to continue to pressure the US into taking action. "Citizens on both sides of the Atlantic need to be reassured that their data is protected and companies need to know existing agreements are respected and enforced," she said. "Today, the European Commission is setting out actions that would help to restore trust and strengthen data protection in transatlantic relations.
"There is now a window of opportunity to rebuild trust, which we expect our American partners to use, notably by working with determination towards a swift conclusion of the negotiations on an EU-US. data protection umbrella agreement."
EU trust in the US has been severely shaken in the months following the PRISM scandal, with Germany accusing US spies of tapping vice chancellor Angela Merkel's phone. EC staff and buildings were also under the watchful eye of US spies, according to the leaks.

Firms urged to ditch Windows XP after zero-day attack discovered in the wild

Microsoft Windows XP screen
A zero-day vulnerability in Microsoft's Windows XP and Server 2003 has been discovered and is being actively targeted by hackers, leading to fresh calls for businesses to move to newer Windows versions sooner rather than later.
FireEye researchers Xiaobo Chen and Dan Caselden reported uncovering the vulnerability in a blog post, confirming that it only affects Windows XP systems.
"FireEye Labs has identified a new Windows local privilege escalation vulnerability in the wild. The vulnerability cannot be used for remote code execution but could allow a standard user account to execute code in the kernel. Currently, the exploit appears to only work in Windows XP," read the post.
The researchers confirmed evidence that the vulnerability is being actively targeted by hackers. "This local privilege escalation vulnerability is used in the wild in conjunction with an Adobe Reader exploit that appears to target a patched vulnerability," read the post.
"The exploit targets Adobe Reader 9.5.4, 10.1.6, 11.0.02 and prior on Windows XP SP3. Those running the latest versions of Adobe Reader should not be affected by this exploit. Post exploitation, the shellcode decodes a PE payload from the PDF, drops it in the temporary directory, and executes it."
Microsoft Trustworthy Computing (TwC) group manager for incident response communications Dustin Childs confirmed the company is aware of the issue and is working on a fix. In the interim he recommended that XP users employ a temporary workaround fix. "While we are actively working to develop a security update to address this issue, we encourage customers running Windows XP and Server 2003 to deploy the following workarounds," he said.
"Delete NDProxy.sys and reroute to Null.sys. For environments with non-default, limited user privileges, Microsoft has verified that the following workaround effectively blocks the attacks that have been observed in the wild."
The zero-day vulnerability's discovery has led to fresh calls within the security community for XP users to update their systems to run newer Windows versions. The SANS Internet Storm Center (ISC) issued a public advisory, warning XP users the new vulnerability is only the tip of the iceberg.
"The real story here isn't the zero day or the workaround fix, or even that Adobe is involved. The real story is that this zero day is just the tip of the iceberg. Malware authors today are sitting on their XP zero-day vulnerabilities and attacks, because they know that after the last set of hotfixes for XP is released in April 2014," read the ISC post.
"If you are still running Windows XP, there is no project on your list that is more important than migrating to Windows 7 or 8. The 'never do what you can put off until tomorrow' project management approach on this is on a ticking clock, if you leave it until April comes you'll be migrating during active hostilities."
Microsoft is set to officially cut support for its decade-old Windows XP operating system in April 2014. Despite the looming cut-off, widespread reports suggest many companies have still not begun migrating their systems to run newer versions of Windows although some firms are now on this path.

Government warns against lax cyber security at FTSE 350 firms

Digital security padlock red image
Some of the UK’s top businesses are failing to take adequate cyber security measures according to a new report by the Department for Business, Innovation and Skills (BIS).

The report into the top FTSE 350 firms found that only 14 percent are regularly considering cyber security threats, a figure that science minister David Willetts said needed to be higher as the threats from cyber attackers on big business have the potential to impact the whole nation.

“Without effective cyber security, we place our ability to do business and to protect valuable assets such as our intellectual property at unacceptable risk,” he said.

However, other elements of the findings by BIS painted a more positive picture, with 62 percent of companies saying they think board members take cyber risks “very seriously”, while 60 percent know which key information and data assets must be protected.

The report also noted that the bring-your-own-device (BYOD) trend is currently a big issue for many respondents, but this is also causing security concerns.

“A lack of clear direction of ‘best practice’ leaves many organisations unsure of the right approach to take to minimise the associated risk,” the report noted.

Willetts used the threat of cyber incidents to tout the ongoing work by the government to try and improve cyber security across the industry through information-sharing partnerships.

“A vital pre-requisite for driving forward our collective maturity and confidence in this area is the timely availability of relevant and appropriate cyber security standards with which organisations can develop and demonstrate their cyber security abilities and credentials,” he said.
Such moves by the government to improve security include the Cyber Security Information Sharing Partnership (CISP), which was unveiled in March. Some have criticised this approach for failing to provide helps for SMEs as well as big businesses.

US Forces sentenced for use of pirated copies in critical missions

The U.S. Government was sentenced for $50 Million because it has used of pirated copies of Military Software designed by Apptricity company.

The software piracy is not a prerogative of commercial software, illegal copies of military software have been used for years by U.S. Forces. The software used by U.S. military appears to be pirated copies of logistics software used for planning logistic activities in critical missions.
The Apptricity company, who has designed the software, accused the US Forces of willful copyright infringement and sued the Government for nearly a 250 Million dollars in unpaid licenses.
Apptricity signed a contract with the U.S. Army, in 2014 to provide an application that manages troop and supply movements, consenting its deployment on five servers and 150 standalone devices, .
Surprising, a recent settlement announced the US Government has agreed to pay $50 million for an early termination of the litigation.
“The Army has used Apptricity’s integrated transportation logistics and asset management software across the Middle East and other theaters of operation. The Army has also used the software to coordinate emergency management initiatives, including efforts following the January 2010 earthquake in Haiti,” states the company.
Let's step back and try to analyze the context of avoiding false morality and evaluating the repercussions in terms of security of the illegal adoption of pirated copies.
The US Government, supported by major software companies has adopted an intransigent conduct against piracy as confirmed by the statements pronounced by the Vice President Joe Biden when he introduced the Joint Strategic Plan to combat intellectual property theft.
“Piracy is theft, clean and simple,” 
Apptricity accidently have discovered the installation of thousands of unlicensed copies of the software during Strategic Capabilities Planning. In 2009 when the U.S. The Army Program Director revealed that the application designed by Apptricity was used by thousands of devices by the US forces.
Violating the contract the US military had installed pirated copies on 93 servers and more than 9,000 standalone devices.  Considering a license fee of $1.35 million per server and $5,000 per device, damage derived by piracy was estimated by Apptricity at $224 million in unpaid fees.
US pirated copied use 2
Apptricity filed a lawsuit at the U.S. Court of Federal Claims, the judgment in favor of the company was peremptory the Government was accused of willful copyright infringement.
“The Government knew or should have known that it was required to obtain a license for copying Apptricity software onto each of the servers and devices,”
After long negotiations the parties reached an agreement for the payment of a reduced amount:
“After Alternative Dispute Resolution proceedings, the parties agreed to settle for $50 million. The figure represents a fraction of the software’s negotiated contract value that provides a material quantity of server and device licenses for ongoing and future Department of Defense usage,” stated Apptricity.
Now apart the legal implication of piracy in a military environment let's consider that the illegal copies of the software within critical environments represent a serious threat. Illegal copies are out of maintenance an could be also excluded from update programs, this may have serious repercussions in term of security. In critical environments pirated copies could also be deliberately altered to introduce malicious agents representing a concerning hole within overall security context.
In the specific case a bug, but also an intentional hack, could cause the exposure of sensitive information in high risky context. The shared awareness about the adoption of illegal copies within an environment could also trigger a domino effect, in many cases in the offices it is easy to find other pirated software installations.
Another side effect it related to the disabling of system/network functionalities to allow the execution of pirated copies without being discovered, in some cases this could have an impact also on the security setting of the host platform.
Coming back to our case, it is opportune to note that despite the copyright dispute, Apptricity will continue its business partnership with the U.S. Forces.