Wednesday, 22 January 2014

Cash crash ahead? ‘Death’ of Windows XP could leave 95% of world’s ATMs vulnerable

As many as 95% of ATM machines around the world could be vulnerable from April onwards, when Microsoft cuts off regular security patches for Windows XP on April 8. Most ATM machines in the U.S. and worldwide still run the ageing operating system – and some banks may continue ‘indefinitely’.
The Verge reports that ATM software company KAL estimates that just 15% of American ATMs will upgrade to Windows 7 by April. “That leaves thousands of machines running out-of-date software,” the site said.
A report by Bloomberg Businessweek says that 420,000 ATMs in the U.S. still run Windows XP, according to Robert Johnston, marketing director at NCR, the largest supplier of ATMs in America, and now face a ‘deadline’ to upgrade. After April 8, the machines will be at risk of non-compliance with industry standards, and at increased risk of attacks against the OS.
Speaking to The Verge, NCR said that most ATMs still run the full version of Windows XP, with support ending in April, while a minority run Windows XP Embedded, which will be supported until 2016.
Many banks face costly hardware upgrades to replace ageing machines which cannot support Windows 7 – JP Morgan says 3,000 of its 19,000 ATMs will require “enhancements” to support Windows 7, according to Bloomberg.
The Verge reports that JP Morgan is to buy a custom support contract from Microsoft to extend the life of ATMs running Windows XP.
“The ATM world is not really ready, and that’s not unusual” says Aravinda Korala, chief executive officer of ATM software provider KAL, according to a report by the Daily Mail, which describes XP-powered machines as ‘vulnerable’. “ATMs move more slowly than PCs.”
In a presentation in December, Mr Korala suggested that some banks intended to continue to use XP-powered machines ‘indefinitely’.
Earlier this month, Microsoft affirmed that XP would no longer be “a supported operating system”, but that it would provide assistance to users in the form of antimalware signatures for some months after the April deadline for patches, as reported by We Live Security here. “To help organizations complete their migrations, Microsoft will continue to provide updates to our antimalware signatures and engine for Windows XP users through July 14, 2015.”
Despite Microsoft setting April 8, 2014 as the “end of support” date for Windows XP, around a third of PCs worldwide still run the operating system, according to research firm Net Applications.
“We will continue to help our customers complete their migrations as Windows XP end of life approaches,” Microsoft said via its blog post. The company made it clear, though, that Windows XP was a less safe option than newer versions of its OS. “Our research shows that the effectiveness of antimalware solutions on out-of-support operating systems is limited. Running a well-protected solution starts with using modern software and hardware designed to help protect against today’s threat landscape.”
Windows XP users already face a higher risk of malware infection, as reported by We Live Security here. Per 1,000 PCs scanned, 9.1 XP machines had been infected – as compared to 1.6 for Windows 8, according to a report by Neowin.
“Microsoft Windows XP was released almost 12 years ago, which is an eternity in technology terms. While we are proud of Windows XP’s success in serving the needs of so many people for more than a decade, inevitably there is a tipping point where dated software and hardware can no longer defend against modern day threats and increasingly sophisticated cybercriminals,” Microsoft wrote in a statement last year.

Not Enough Evidence the Internet of Things Botnet Actually Exists

Internet of Things There was a report last week about a spam botnet using "Internet of Things" devices—a refrigerator, even!—but the evidence supporting this claim feels a little circumstantial.
As reported late last week, cloud security company Proofpoint claimed a botnet sent out 750,000 spam messages in waves between Dec. 23 and Jan. 6. While most of the messages were sent by conventional means, such as personal computers and mobile devices, more than 25 percent came from non-traditional sources, including "100,000 everyday consumer gadgets, such as home-networking routers, connected multi-media centers, televisions, and at least one refrigerator," Proofpoint said.
Researchers have repeatedly warned that the surging popularity of smart appliances and devices (this year's CES was heavily dominated by "Internet of Things") meant attackers would start taking advantage of these devices to launch attacks. Security Watch even highlighted the vulnerabilities in Internet of Things as part of its look-ahead for 2014. However, Proofpoint's report is not definitive proof that such a botnet already exists.
A Look at Proofpoint's ClaimsTo be clear, there is nothing that jumps out in Proofpoint's report as being impossible. The attackers took advantage of the fact that many of these networked devices still had default passwords or had been configured incorrectly, Proofpoint said. This is nothing new, since researchers have been demonstrating how to install a backdoored firmware onto vulnerable routers since 2008.
Proofpoint warned that the growing popularity of Internet of Things would encourage attackers to try to hack these devices. Considering that many of the devices run some kind of Windows operating system or Linux, and increasingly, Android, this is also very plausible. Several researchers demonstrated attacks against non-PC devices at last year's Black Hat and DEFCON, including cars, Samsung Smart TVs, and home surveillance cameras. Consumers generally don't think about updating the firmware on their wireless routers, let alone their TVs and garage door openers. There is no question that these devices are ripe for compromise.
"The Internet of Everything means everything is hackable," Michael Daly, CTO of cybersecurity and special missions at Raytheon, told Security Watch.
So if a botnet of Internet of Things, or "thingbots," as Proofpoint calls it, is possible, what is the problem? The thing is, Proofpoint's report doesn't provide a lot of details about the botnet itself. There is no information about what kind of command-and-control server the botnet was supposedly using, or even how the researchers came up with the 100,000 number in the first place.
While it's possible that smart devices were connected directly to the Internet, it's not very likley as most home networks have multiple devices connected to the router. It isn't clear at this point how the researchers were able to tell that spam was sent by a compromised refrigerator, rather than, say, a compromised Windows machine on the same network. Consumer routers also generally use Network Address Translation (NAT) so that all the traffic going out to the Internet uses the same public-facing IP address, instead of having each device have its own address.
As an aside, this will change with IPv6, but I wonder whether enough home networks are IPv6-enabled at the moment to make a difference with this report.
Skepticism, Not Disbelief
Proofpoint also mentioned that the botnet restricted the mail sent to just 10 spam messages per IP address. This seems like a whole lot of work for so little gain. Spammers generally blast out as many spam messages as possible—sending small volumes over a period of time is not really part of their traditional M.O.
As it stands, there is nothing that says Proofpoint is incorrect in its claims of the "first proven Internet of Things (IoT)-based cyberattack," but there is not enough evidence to accept this claim at face-value, either. Ars Technica was skeptical about this particular botnet and asked Paul Royal, a research scientist at Georgia Tech who specializes in network and system security, to weigh in. "The aggregate of the information doesn't paint an adequately compelling picture that what they're asserting occurred actually occurred," Royal told Ars Technica.
That said, we need to start thinking of ways to start protecting our devices.
These smart devices can be compromised in the same way mobile devices are: through apps. Just as mobile devices can be compromised if a malicious app is installed, some of these home appliances and networked devices may support apps such as Twitter and Facebook, said Christian Crank, a security researcher at TrainACE. In the case of a set-top TV box or a smart TV, the user may be tricked into downloading something malicious. The average home should not download apps that would allow the appliance to check messages, access contacts, send SMS/MMS messages, or make a call, Crank said. Users should also make it a point to turn on the built-in firewall on their routers.
There is no need to wait till the attackers do successfully compromise our TVs, fridges, and thermostats before we wake up to security.

Antivirus Products Show Off Under Windows 8.1

Swine Flu
Flu season is in full swing, and you've probably had your flu shot. But is your computer protected against viruses? Throughout the chilly November and December of 2013, researchers at AV-Test ran two dozen antivirus and security suite products through a barrage of tests. They've just released the latest results, identifying which products excelled in several different criteria. If you're considering which security product to choose, or considering switching from your current protection, you'll want to check these results.
Each product earned up to six points in each of three categories. The Protection score incorporates two measurements; how well did the product defend against widespread, prevalent malware, and how well did it defend against brand-new zero-day attacks. For a good Performance score, the product must not slow down everyday activities including "visiting websites, downloading software, installing and running programs and copying data." Antivirus software that warns about or actively blocks valid software and websites causes more trouble than it's worth, so a good Usability score requires few or no false positives.
At the Top
In November's edition of this report, Kaspersky managed a trifecta: six of six possible points in all three categories. Note that testing lab AV-Comparatives named Kaspersky their product of the year for 2013. Kaspersky remains at the top in the latest report, joined by Bitdefender. Bitdefender's improved performance score pulled its total up to a perfect 18 points.
Avira pulled its protection score up from 4.5 points to 6.0, putting it in second place overall with 17.5 points. Products from Qihoo and F-Secure tied for third, with 16.5 points total.
At the Bottom
The team behind Microsoft Security Essentials and Windows Defender aren't trying to compete with third-party antivirus vendors. They've made it clear that Microsoft's protection is a baseline, something to make sure everyone has at least some protection. Of course, a product that doesn't perform as well as this baseline really needs to improve.
Both AV-Test and AV-Comparatives take Microsoft at its word. They include Microsoft in testing, but just as a baseline. This time around Microsoft took 11 points; four products scored lower than that baseline. With 10.5 points, Norman and K7 barely achieved certification. AnhLab and Kingsoft didn't make the cut, both with 9.5 points. That's actually an improvement for AhnLab, which earned 9.0 points last time. Kingsoft dropped from 11.5 down to 9.5 because it totally blew the performance test.
Zero-Day Protection
Protection against viruses and other malware is the prime directive for antivirus products. As noted, AV-Test tests products against widespread malware and against brand-new zero-day malware. The report broke out a pair of charts showing each product's ability to block zero-day malware in November and in December.
Avira, Bitdefender, Comodo, F-Secure, Kaspersky, and Symantec managed 100 percent protection in both months. Six others managed 100 percent in one month, but not the other. For both months, Microsoft, AhnLab, ThreatTrack/VIPRE, Tencent, and Norman made up the bottom five. Their order within the bottom five varied, except for Microsoft. With 64 percent one month and 76 percent the other, it had the very lowest scores.
On the flip side, AV-Test didn't actively turn off any protection built into Windows 8.1. Unless the security product itself disabled Microsoft's antivirus and firewall, those components remained active. It's possible that some of the top scorers got a bit of a boost from Microsoft. (Say thanks, guys!)
Independent lab scores are important, but tracking results from multiple labs is essential. It's actually very difficult to test security software, and the best labs keep working on innovative testing methods. A product that excels with all of the labs is surely one that will do a good job protecting you and your PCs.

Vietnamese malware : ‘Single post’ enough to trigger spyware attacks against U.S. bloggers, EFF claims

A single anti-government blog post is enough to trigger personalized spyware attacks from hacker groups supporting the Vietnamese communist state, which the Electronic Frontier Foundation claims targets anti-government bloggers – even those in other countries – with malware, including its staff, and Californian activists.
“EFF is greatly disturbed to see targeted malware campaigns hitting so close to home,” the group said, after emails targeted its staff with spear-phishing attacks delivering malware.
A Washington Post report described how democracy activist Ngoc Thu, a Californian blogger, ‘sensed’ something was wrong with her PC – and that, as she described it, “somebody was there.” Just days afterwards, her personal emails and photos appeared on the blog, mixed with offensive messages – and she was locked out.
Activists from the Vietnamese Blogger Network are currently touring America to draw attention to the state’s recent crackdown on dissenting voices, according to a report by Voice of America.
A recent report by Voice of America said that the state was the fiifth-biggest jailer of journalists in the world, and “was holding 18 journalists, up from 14 a year earlier, as authorities intensified a crackdown on bloggers, who represent the country’s only independent press.” The figures were based on an annual report by the Committee to Protect Journalists’ annual report on repressive regimes.
The EFF alleges that pro-government cyber attackers have used malware to target EFF staff, plus a Vietnamese mathematician, activists and journalists.
In a blog post released this week, the group said, “For the last several years, the communist government of Vietnam has used malware and RATs [Remote Access Tools, powerful software which can remote-control PCs - demonstrated by ESET's Stephen Cobb here] to spy on journalists, activists, dissidents, and bloggers, while it cracks down on dissent,” the group said.
The new campaign, though, used highly targeted attacks aimed at specific critics of the government – including EFF staff.
“On December 20th, 2013, two EFF staffers received an email from “Andrew Oxfam,” inviting them to an “Asia Conference,” and inviting them to click on a pair of links which were supposed to contain information about the conference and the invitation itself,” the group said in its post.
The malware was sent out as a link to a Google document, and was sent in emails tailored to targets – the activists were invited to a conference, and an Associated Press journalist was offered a white paper from Human Rights Watch.
“Just as journalists are tempted to open documents promising tales of scandal, and Syrian opposition supporters are tempted to open documents pertaining to abuses by the Assad regime, human rights activists are interested in invitations to conferences. For greater verisimilitude, the attacker should have included an offer to pay for flights and hotels,” the group commented.
“Several registry changes are made to enable the malicious implant to persist after reboot,” the group said, and says that it initiates a connection  to domains linked to earlier malware attacks against Vietnamese bloggers.
“Examining this malware reveals a relationship to earlier campaigns targeting Vietnamese activists,” the group said, “A prominent Vietnamese pro-democracy blogger living in California was successfully targeted by this attack, which led to the compromise of her blog and the invasion of her private life.”
“The group behind these attacks appears to have been operating since late 2009, and has been very active in the targeting of Vietnamese dissidents, people writing on Vietnam, and the Vietnamese diaspora. The appears to be the work of a group commonly known as “Sinh Tử Lệnh” and while it has been anecdotally claimed to be the work of Chinese actors, it seems to be more likely the work of Vietnamese targeting Vietnamese.”
The Vietnamese government’s targeting of those who express opinion has drawn sharp criticism.
Writing for The Register Citizen, the Washington Post’s Jim Hoagland says, “In Vietnam alone, 34 bloggers are in jail for expressing opinions,” he writes, “We live in an era of counterrevolution. For nearly three decades, the globalization of dissent, instant information and political self-empowerment helped overturn scores of dictatorships. But like the European monarchies of the early 19th century, the surviving autocrats are fighting back, often using scorched-earth tactics.”

Push to replace “hugely insecure” credit card system in U.S after rash of retailer breaches

The ‘magnetic stripe’ credit cards used by American banks should be replaced with the more secure chip-and-PIN systems standard in Europe and around the world – and the recent data breaches suffered by Target, Neiman Marcus and other retailers should be a ‘wake-up call’, according to JP Morgan’s CEO and other security advocates.
Ed Mierzwinski of the U.S. Public Interest Research Group says that the breach has captured public interest in the security of their  cards, according to a report by, and says that he believes it may catalyze change,”Congress has begun to ask questions,” he said. He describes the current system as viewing fraud as “just a cost of doing business.”
“This cyber-security stuff we’ve now pointed out for a year is a big deal. All of us have a common interest in being protected, so this might be a chance for retailers and banks to, for once, work together,” said JP Morgan CEO Jamie Dimon, according to Business Day Live’s report. Visa and Mastercard have also called for change.
Last week, Dimon described the breach as a “wake-up call”. JP Morgan is the world’s largest issuer of credit cards, according to USA Today’s report, and replaced two million cards in the wake of the breach.
The U.S. accounts for nearly half of the world’s $11.3 billion fraud losses on payment cards,, according to the Nilson Report, an industry newsletter.
“The absence of EMV cards and terminals in the U.S. contributes to fraud losses. Adoption of EMV at the point of sale is the strongest defense against counterfeit cards,” Nilson wrote. EMV terminals take various forms, but cards equipped with the technology are far more difficult to clone, according to Forbes. In Forbes, Adam Tanner points out that even North Korea outpaces America on card security.
“Magnetic stripe card technology is outdated at best––predating the floppy disk by only a year––and hugely insecure at worst,” CNBC commented in a video report on the breaches afflicting American retailers.
Yahoo News UK’s Finance Editor James Andrews says that Europeans find America’s position puzzling, “Despite inventing the credit card, the US has generally lagged behind the rest of the world in finding new uses for plastic. The British invented the ATM in 1967 and the French have had smartcards and PIN verification since 1992.”
“Chip and PIN isn’t perfect, but has led to a big reduction in card fraud in the UK and made card cloning and skimming far harder.”
Describing America as an ‘island’ in a world of EMV or ‘Smart Chip’ cards, CNBC pointed out that not only Europe, but also emerging economies use the more secure EMV system.
Magnetic stripe cards have been used for more than 40 years, having been patented in 1969, speeding up a credit-check process from “minutes” to “seconds” – previously, retailers had to manually check card numbers against a book of “bad” cards issued each months, according to the system’s inventor, Ron Klein, as reported by Yahoo! News.
Gartner analyst Aviva Litan wrote in a blog post, “Bottom line: it’s time for the U.S. card industry to move to chip/smart cards and stop expecting retailers to patch an insecure payment card system.”
Smart Chip cards are not immune to fraud – but the PIN codes and ‘Smart Chips’ makes many forms of card fraud more difficult.
“While the Target breach is serious, consumers divulge the same information every time they hand their card to a waiter in a restaurant,” said Paul Schaus, president and CEO of CCG Catalyst Consulting Group, in USA Today‘s report.

Make it stop! How to cleanse your PC of unwanted adware (and ‘badware’)

Every day, there are 100,000 new variants of malware detected around the world, according to security expert Graham Clulely.
‘Adware’, software which delivers unwanted adverts, might seem among the least threatening – after all, we’re bombarded with adverts as soon as we log on, and legitimate companies constantly harass us to install their toolbars, or make their page our home page.
ESET’s security programmes classify such software as a lower risk, than, say, a Trojan which logs keystrokes, and users can choose to enable such ‘potentially unwanted applications’.
But the sophistication, and hi-tech evasion techniques displayed by malicious adware such as Win32/Boaxxe, analyzed by Researchers show that not only can ‘adware’ be far from innocent, the newest ‘badware’ is also highly sophisticated, reacting to search queries to deliver its tainted results.
“Boaxxe.BE, is an impressive malware family with numerous sub modules, which takes lots of precautions to stay stealthy,” says Calvet, “For example, it won’t redirect users to ads when the user clicks on common websites (Wikipedia, Facebook,..), or the maintenance of its own DNS cache in order to avoid relying on the too-noisy Windows cache.”
Adware, in general, will rarely slow your PC – the software is small, light, and discreet. But controlling what adverts you see should be important to any user – sometimes, the software can redirect users to infected sites.
Legally, adware is also a very, very grey area – much adware arrives as part of a ‘free’ program, then proves hard to uninstall. Companies such as OpenCandy do legitimate business – often distributed as part of ‘toolbars’ offered by other companies – but are controversial, with Microsoft among others having flagged versions of their software as malicious.
Diagnose the condition
Spotting if you are infected is actually quite hard – the internet is already full of annoying adverts, which many of us don’t want to see. Sophisticated malware such as Win32/Boaxxe will also ‘tailor’ adverts to your searches (described by ESET researcher Joan Calvet as ‘user-generated click fraud’ – but much adware is less subtle. If you ever see ads popping up on your desktop, or within apps other than your browser, or different sites appear than the one you expect when you type in a URL, you probably have a problem.
Check your bookmarks and favourites
Look in your bookmarks and favourites folders in your browser – all look familiar? If not, worry. Changing home pages, adding new bookmarks and favourites are all signs of adware – often the semi-legitimate kind – but if you suddenly find a new set of bookmarks, it might be worth a visit to Control Panel to see if new programs have appeared, and uninstall them.
Spring clean your browser
Ensure your browser is set up to block installation of extensions by default, and to block pop-up adverts. Even sophisticated malware can’t do magic – while Win32/Boaxxe is laden with advanced stealth techniques, it can be seen if you check through your browser – and know what you’re doing. ESET researcher Joan Calvet says, “It’s worth mentioning that Win32/Boaxxe.BE installs its Chrome and Firefox extensions as visible, and thus they will appear in the extensions panel.” It’s worth checking this panel regularly anyway, as a precaution – if you see programs you don’t recognize, kill them. Calvet warns, however, that Boaxxe is no ordinary adware, “You cannot rely on the extension name to check if it is legitimate – it will not warn you that it is being installed, and you may have to use Developer Mode to check the extension ID on Chrome Store.”
‘Freeware’ is rarely a free lunch
If a program is free, that sounds great – but it should set alarm bells tingling. Often adware is delivered as part of ‘free’ software, with your ‘consent’ to this buried deep within a licence agreement. Think hard about whether you really need software – and read reviews on other sites, not the owner’s before downloading.
Hard to kill – but worth it
If your PC has been around a while, uninstalling software can be a daunting task – there’s often pages of it. But adware can be killed. Look for publishers you don’t recognize, software whose name you don’t remember – but Google first, before hitting the button. Some companies install ‘helper’ apps which are perfectly legitimate – such as Apple’s Bonjour, which arrives alongside iTunes – so it pays to select targets carefully.
Actually read licensing agreements
We don’t suggest keeping a lawyer on hand, but be careful with software that claims to be ‘free’ – open the licensing agreement and search for words such as “information” and “advertising”. Read about the developer – and read reviews before installing. Intrusive adware usually causes a storm of internet fury – so if freeware does come with unwanted ‘passengers’, it’s often not hard to find out.
Toolbars are tools you don’t need
Not content with providing cybercriminals with many of the ‘entry points’ they use to attack PCs (as reported by We Live Security here), Java also ‘offers’ users a toolbar for the unpopular search engine Ask, each time they install one of its many, many security updates. Untick this box. Ask is laden with far more adverts than Google. Toolbars often offer little service to the user bar ‘binding’ them to one search tool or email provider.
If your browser asks for permission for an app, read it
Both Chrome and Firefox will warn you if an app is installing an extension in your browser – don’t ignore these warnings. Adware is often installed this way, so read the warning, and if you don’t recognize or want the program, say no. This does not apply, however, to stealthy malware such as Boaxxe.32, which arrives in disguise, so it’s worth visiting your extensions folder often, just to check you’re not carrying any stowaways.
Most anti-adware is, in fact, adware
The worst possible thing you can do is to search for ‘anti-adware’ software – the web is loaded with such ‘free’ software, most of which is adware, often worse than the adware you already have. It is like attempting to cure yourself of a cold by injecting yourself with the ebola virus. There are some legitimate, and good, programs – PC Decrapifier does a good job but most such ‘free’ tools are traps, pure and simple.

Why are so many kids still not receiving computer science education?

It is no secret, at We Live Security we strongly believe in the importance of education. We don’t just “live” security; we “live” educating people about security. Naturally, any time we hear about gains in this particular arena, it is an exciting thing. The city of Chicago, Illinois recently announced a change to the curriculum for schools in their district that would introduce children as young as primary school to computer science concepts. It would also allow students to count computer science as a core subject that fulfills graduation requirements, rather than simply be an elective.
This sounds like a big step in the right direction, preparing students to deal with an important aspect of twenty-first century life. But what does the boost for computer science, often affectionately abbreviated to comp-sci, mean in the grand scheme of things?

Why does K-12 comp-sci matter?

For those of us who have been out of high school for more than a few years, this announcement from Chicago might come as a surprise. Aren’t all kids getting computer science classes already? You would think so, with so many of us adults already using computers in our jobs, regardless of our job title. And how many more of us are required to have some level of proficiency with technology, no matter what field we work in? Yet, schools are just now starting to introduce computer related curricula?
The percentage of people needing to use computers proficiently seems to be rapidly approaching 100%, at least for skilled jobs in the US. And in terms of job security and satisfaction, technical jobs have much to offer. In lists of the best, the most lucrative and most in-demand jobs, those positions utilizing computer experts are always in the top five. The demand for people who know how to program or maintain computers and networks–especially those who know how to do these things securely–vastly outpaces the supply. (See the We Live Security story on Huge shortage of cyber-defenders.)
Given that there is a massive need for people to take jobs that require computer skills, one might think that getting kids interested in computers would be considered something of the utmost importance. But apparently this is not yet the case. As far as we can tell, in most states in the US, if computer science is offered at all, it is considered an elective subject, which means it does not count towards a student’s graduation requirements. Many students do not have room in their schedule to include electives, and indeed they have to go out of their way to get exposure to those subjects not considered part of their core curriculum.
While Chicago is to be lauded for its recent changes, it is still just one of only a handful of locales in the US that allows computer science to be counted towards high school graduation requirements. With the changes proposed in Chicago, students at all levels of the primary and secondary systems will have more access to computer-related classes. At the elementary and middle school level, students will have access to a computer science “pathway”, which will allow them to get an additional focus on that subject. At the high school level, there will be an “Exploring Computer Science” class at each school, and certain schools will also offer an Advanced Placement (AP) Computer Science Class, in addition to the ability to use computer science classes towards graduation.

What is happening elsewhere?

Let me preface the following information with a bit of a caveat: I was educated in the US and can only profess a thorough understanding of this one system. As I was reading the information on the state of computer science in the American education system, I naturally wondered how this compared with that of other countries. From what I was able to glean from a search on graduation requirements elsewhere in the world, it seems as though the US is quite a bit behind other countries. But it is also apparent that direct comparisons are difficult at best.
Every country seems to have a slightly different focus in their educational system, and this is apparent not only by viewing what is considered a “core subject”, but by looking at what elective classes are actually chosen by students. There are a few subjects that are internationally considered required subjects: Reading, Math, and Science. (N.B. In this context Science includes only traditional sciences, not computer science). Beyond this, each country adds other subjects that they consider to be exceptionally important.
To get an idea of the differences in culture, let’s look at a couple of very dissimilar examples, both of which are considered very successful in terms of their test results for those universal “core subjects”. In Finland, which is generally the country in Europe whose scores in Reading, Math and Science are consistently highest, there is less focus on taking standardized tests or doing hours’ worth of homework. Students are strongly encouraged to take multiple languages aside from their native one, and being strong in natural languages seems to be a primary focus for their educational system.
In Korea, another very highly-rated country, things are very different. Students typically go to school for incredibly long hours and have homework on top of that. The curriculum is not so strongly focused on any one area of education, though students are expected to learn both Korean and English. In both Korean and Finland, like in the US, computer science is considered an elective. But in practice, Korean students get much more exposure to computer-related topics, in part because those long days give them more time to get exposure to a wider variety of subjects.
Another important difference in the culture of schools in Finland as opposed to Korea is that there is much more focus on digital literacy and ethics in the latter, and by 2015 all textbooks in Korea are expected to be digital. This is a long way from either country considering computer science a required science subject, but it does at least expose Korean students to computers as a powerful tool, and they are indeed taught about using that tool ethically.
But digital literacy is not the same as understanding how computers actually work. There is a range of different types of classes covering computer related subjects that begins at “digital literacy”, includes “information and communication technology” and ends with true “computer science”. Most countries do not cover computer science in this latter sense, but cover something much more simplistic. A class or standardized test in “computer science” in many countries may cover no more than basic Java programming or familiarity with office productivity suites. For those of us in a computer-related field, this definition is laughably inadequate. This paper written by Simon Peyton Jones from Microsoft Research, in conjunction with several international educators, offers a very thorough breakdown of what computer science actually entails in various countries.
The current situation can be, frankly, a little depressing. Very few places offer in-depth computer education to students before college, those that do may employ teachers that arguably have less experience in the subject than the average student. As a result the classes have little utility and are often declining in popularity. But fortunately, there are things that you and I can do to help this situation, to ensure that our future coworkers are better prepared.

What can we do about it?

The things that you and I can do about the current state of computer related education can be broken down into two areas: Encouraging change in policy, and helping expose students to computers and code. Here are a few suggestions for how you can get involved:
There are also plenty of organizations on a local level that offer mentorship opportunities, which are a great way to expose kids to careers in Science and Technology (especially those of us in less obvious or traditional areas of computer-related employment). For instance:
Kids are now growing up in a world where computers are a part of almost every home, which means many of them are accessing the Internet without a good understanding of how it works, or how to use it safely. By educating them early and often on how best to use these powerful tools, we will not only help protect them from potential harm, but give them the promise of lucrative and meaningful employment when they reach adulthood.
Do you know of schools that are doing a good job when it comes to computer science, ethical computing, and computer security? We would love to hear some good news. Leave a comment and let us know.

Interview: ‘Fully encrypted’ Android Blackphone – will it allow for spy-proof communication?

A new, sleek Android-based smartphone will allow secure calls, text and exchange of data from any country on the planet, its makers claim – and the upcoming launch of Blackphone has ignited worldwide debate.
The company behind it, Silent Circle, is to launch the device at Mobile World Congress in Barcelona this Spring, in collaboration with Spanish smartphone company Geeksphone, according to Business Insider.
According to TechCrunch’s report, the venture is Switzerland-based, with Geeksphone having previously manufactured Android handsets, and currently working on hardware for Mozilla’s open HTML 5-based Firefox OS before teaming up with encryption experts Silent Circle. The company describes Blackphone as, “The world’s first smartphone placing privacy and control directly in the hands of its users.”
Speaking via email, Silent Circle’s Toby Weir-Jones said, “It’s obvious there is tremendous interest in the goals we’ve set for Blackphone, even though we have released so little concrete detail so far.   Our focus is on the visible layers of the phone — the applications, the user interface of the operating system — and giving our customers the control necessary to exercise their right to privacy.”
TechCrunch points out that encrypted phones are already on sale, such as Germany’s GSMK Cryptophone, which offers 256-bit AES and Twofish symmetric encryption. But such phones do not offer the versatility of a modern smartphone OS, according to Blackphone’s makers.
Silent Circle was formed in 2011, has has launched messaging services for PCs and Smartphones, according to AFP’s report. Its founders include Phil Zimmerman, a famous figure within the world of encrypted communication, who created the widely used PGP (Pretty Good Privacy) standard. Silent Circle previously offered an encrypted email service – but the company shut the service to avoid handing records to the U.S. government, after rival service Lavabit was subpoenaed.
CEO Mike Janke told AFP that the phone was in development before Edward Snowden’s revelations about NSA programs: “We did this because there was a problem that was not being solved: secure communications,” said the former U.S. Navy Seal.”We offer completely encrypted, peer-to-peer communications. We have encrypted video, encrypted text and secure VoIP (Voice-over-Internet-Protocol) calls.”
One vocal fan of previous encrypted phones is Julian Assange, “I don’t use email,” he said in an interview with Google’s Eric Schmidt, reported by Yahoo News. “Too dangerous, and encrypted email is possibly even worse, because it is such a flag for end point attacks … but we do have encrypting phones. Unfortunately they don’t work in all countries, but the SMSs work in all countries.”
Blackphone runs a modified version of Android known as PrivatOS. Weir-Jones said that the company is aware that no device can be ‘spy-proof’, and that the gadget is a “first step”
“This is an important and incremental step towards restoring some of the balance of power which has been eroded over the past many years,” he said via email. “ It stops the consumer from being the product themselves, where their activity is monetised in exchange for access to free services.  And in cases where the information they wish to exchange is, itself, commercially valuable, it makes it harder for malicious actors to intercept and gain access to that information.”
“Most of the individuals who’ve contacted us are just grateful that someone is making real efforts to improve the state of the art,” he says. “and recognise that it’s an important step in what will be an ongoing journey.  We’ve also had a huge amount of coverage from both the technical and general press.”
“As far as consumer awareness of privacy issues goes, we’re aware that at least some of the present activity is more to do with recent high-profile news stories about surveillance agencies and their activities, rather than a more fundamental sea change in attitudes and degrees of awareness.  We see the longer-term effect of these episodes as catalysing events first and foremost; once the volatility of the day-to-day news cycle subsides, we’ll be able to see what lessons have stuck.  Security has always been a tough sell at the consumer level, because it usually decreases convenience and is therefore an impediment to getting stuff done.”
ESET Senior Research Fellow David Harley said, in an earlier We Live Security article regarding government spying and encryption, “Paraphrasing Bruce Schneier, if a well-resourced intelligence agency or LEA wants to know your secrets ‘they’re in’, and some much-hyped encryption programs will offer very little resistance. Selecting the right security software of this sort and properly installing and maintaining it is not easy. If you want to do it properly – and safely! – it needs time and care.”
Graham Cluley, a security industry veteran, said that one of the dangers Blackphone faced was success, saying that if such a device became a “de facto standard”, it would become a target not just for intelligence agencies but for “glory-seeking hackers”.
Standard Android devices do have cryptographic protection built in, as do modern PCs, although this is focused on protecting files rather than cloaking communications – a beginner’s guide from We Live Security, detailing to how to protect your data using such technology can be found here.

‘Password’ no longer weakest choice as ‘123456’ surges into first place

Password security company Splashdata has released a new version of its annual list of the world’s worst passwords – and ‘password’, last year’s number one, has been unseated by ‘123456’.
The company compiles its list from databases of stolen passwords posted online, with the ‘worst’ passwords being the most commonly used – this year’s list was influenced by the huge security breach at Adobe, where two million users chose 123456 as their password, as reported.
Morgan Slain, chief executive of SplashData, told Yahoo News  that: “Seeing passwords like ‘adobe123′ and ‘photoshop’ on this list offers a good reminder not to base your password on the name of the website or application you are accessing.”
The list of stolen passwords was published online by security consulting firm Stricture Consulting Group following the breach. SplashData’s annual list is widely reported – and aired on the Today show – but despite the publicity, users continue to use weak passwords.
The company said in its official statement that the list, “shows that many people continue to put themselves at risk by using weak, easily guessable passwords. Some other passwords in the Top Ten include “qwerty,” “abc123,” “111111,” and “iloveyou.”
“Another interesting aspect of this year’s list is that more short numerical passwords showed up even though websites are starting to enforce stronger password policies,” Slain said. “For example, new to this year’s list are simple and easily guessable passwords like “1234″ at #16, “12345″ at #20, and “000000″ at #25.”
“As always, we hope that with more publicity about how risky it is to use weak passwords, more people will start taking simple steps to protect themselves by using stronger passwords and using different passwords for different websites.”
Change from 2012
Up 1
Down 1
Up 1
Down 1
Up 2
Up 5
Up 2
Up 5
Down 7
Down 11
Down 5
Up 4
Down 12
ESET Senior Research Fellow David Harley says that in cases such as the Adobe breach, even users with “strong” passwords are at risk – and should think carefully about other sites where they may have used the same password:“Where your login credentials have been revealed, it’s obviously a good idea to change your password, and in fact the compromised site may force you to do so. However, an attacker is likely to assume that you use the same credentials on other sites, and he may try them on other sites of interest to him. (Of course, they may not be sites of interest to you.) So it’s a good idea (if an irksome task) to change your password on other sites that do use the same credentials.”
While no password, however complex, can offer complete protection – a cybercriminal with sufficient time and password-cracking software will eventually break any password – using such weak passwords allows criminals to access accounts more quickly.

Giant snake swallows zookeeper! Facebook scam spreads via offer of gruesome video

A video purportedly showing a gigantic snake swallowing a zookeeper is the latest viral scam on Facebook – tricking thousands of users into sharing a video which instead takes the viewer outside Facebook to a scam site.
The link, described as “heart-breaking footage”, according to veteran security-industry expert Graham Cluley’s report, instantly takes users outside Facebook, “Clicking on the link (which isn’t recommended) takes you to a third-party website which is pretending to be Facebook, complete with what appear to be comments from other users. However, if you try to watch the video you are told that you must share the link publicly before you are allowed to proceed.”’s Urban Legends page also warns against the link, saying, “What it’s designed to do, if you follow the instructions, is spam itself to the Facebook news feeds of everyone you know. It may also ask you to fill out a survey form, which, if you comply, is how the scammers make money. Worst-case scenario, it may download malicious software to your computer, potentially compromising your privacy and security..What it won’t do, ever, is show you the “shocking video” it lured you with in the first place.”
ESET researcher Stephen Cobb says, in a We Live Security Guide to such scams, “Can we trust our friends not to make questionable decisions on social media? Apparently not, because our friends might actually be scammers in disguise, or just not well-informed.”
As reported, such scams can, in the worst case scenario, lead to tainted sites which infect users with malware. When Twitter accounts for two CBS shows, 60 Minutes and 48 hours, were compromised in April last year, they began to spam readers with links which AllThingsD reported to be tainted with malware. Such ‘clickjacking’ scams are used by activist groups, such as Syrian Electronic Army’s hijacking of news site E! Online’s Twitter feed to broadcast a Tweet saying, “Breaking! Justin Bieber – I’m a gay”. lists several previous “must-see” videos used to lure unwary Facebook users, such as ‘Huge Plane Crashes Into Bridge’, Shark Eats Man’ and ‘Will Smith Pronounced Dead,’ all of which are scams. ESET’s Social Media Scanner is a free app which offers a quick, free way to check out if that news story on Facebook is true – or a scam.

South Korea, 20 Million credit card data has been leaked

Financial Supervisory Service confirmed that Stolen credit card data of at least 20 million bank and credit card users in South Korea has been leaked.

While US are facing with a series of clamorous data breached against principal retailers, in South Korea an employee of personal credit ratings firm Korea Credit Bureau (KCB) has been arrested accused of one of the greatest data breach.
The man was accused of stealing the data from customers of three credit card firms, he worked for them as a  consultant. The customers' data information was stolen from the internal servers of KB Kookmin Card, Lotte Card and NH Nonghyup Card. The data breach impacted at least 20 million of users, the figure is impressive if we consider that Korean population is 50M.
south korea credit card data
Seoul's financial regulators confirmed the shocking news on Sunday, the Financial Supervisory Service (FSS) revealed that stolen card data includes the customers' names, social security numbers, phone numbers, credit card numbers and expiration dates.
"The credit card firms will cover any financial losses caused to their customers due to the latest accident," .
The alleged thief sold the stolen data to phone marketing companies, the managers of those firms were also arrested this month.
Despite this data breach appears the biggest one affected South Korea, in the last couple of year many incidents hit Korean firms.
Following a timeline of data breaches occurred in the country:
  • An employee of Citibank Korea has stolen personal data of 34,000 customers.
  • In 2012, two South Korean hackers have stolen 8.7 million customer data from the servers of KT Corp, the nation's second-biggest mobile operator.
  • In November 2011 hackers stolen data belonging to 13 million users of Korean games developer Nexon.
  • In July 2011 personal data from 35 million users of the South's social networking site, Cyworld, was stolen by hackers.
FSS confirmed that an investigation by authorities is still ongoing.

VMware shells out $1.54bn for mobile management outfit Airwatch

VMware logo
VMware has confirmed plans to purchase mobile management and security services provider Airwatch for $1.54bn.
VMware announced the deal had been approved by both companies' boards and is forecast to close by the end of this quarter.
The deal will see VMware, which is owned by storage provider EMC, pay $1.175bn in cash and $365m in installment payments. VMware plans to integrate Airwatch staff into the company's End-User Computing Group following the acquisition.
The Airwatch team will primarily work from their Atlanta base and will continue to answer directly to company founder and chief executive officer John Marshall, who will report to VMware chief executive officer Pat Gelsinger.
Airwatch currently has nine offices across the world, boasts a workforce of 1,600 people and is listed as having over 10,000 customers globally.
Executive vice president and general manager of VMware's End-User Computing group, Sanjay Poonen, confirmed that the company plans to expand Airwatch's Atlanta offices to become the centre of its mobile operations.
"Our vision is to provide a secure virtual workspace that allows end users to work at the speed of life," he said. "The combination of Airwatch and VMware will enable us to deliver unprecedented value to our customers and partners across their desktop and mobile environments."
VMware also announced on Wednesday that it estimates revenue of $1.48bn for the fourth quarter.
VMware is one many firms to acquire a security company over the past year. Advanced threat specialist FireEye confirmed plans to purchase end-point protection firm Mandiant earlier in January for $1bn.
IBM also purchased security firm Trusteer earlier in August 2013, promising it will use the company's anti-hacker technology to bolster customers' cyber defences.

BlackBerry lands 80,000-device Pentagon deal, plans real estate sale

Blackberry logo
Struggling smartphone maker BlackBerry received a huge boost after it was revealed that the US Department of Defense (DoD) has placed an order for 80,000 devices with the firm.
The Defense Information Systems Agency (DISA) confirmed that, while it would start offering other devices including those made by Samsung and Apple, most devices would come from BlackBerry.
“DoD will begin deploying version 1.0 of the unclassified mobility capability [on] 31 January and will build out capacity to support up to 100,000 users by the end of the fiscal year,” it said.
“The program currently supports 1,800 unclassified mobile devices including iPad 3 and 4, iPhone 4S and 5, Samsung 10.1 tablets and Samsung 3S, and Motorola Razr devices with participation from the combatant commands, services and agencies throughout DoD. The program also supports 80,000 BlackBerry phones.”
The decision to use a raft of devices represents a new way of trying to incorporate the use of mobile devices into the defence agencies, DISA added.
News of the deal sent BlackBerry's share price soaring overnight to over $10, although it has dropped slightly since then. The announcement marks a major piece of good news for the firm after years of struggle, including major write-downs and profit losses.
BlackBerry has also announced plans to rid itself of three million square feet in commercial real estate in order to cut costs. The locations will all be in Canada, but the firm did not specify where they would be, although CEO John Chen confirmed its headquarters would remain.
“BlackBerry remains committed to being headquartered in Waterloo and having a strong presence in Canada along with other global hubs,” he said. “This initiative will further enhance BlackBerry’s financial flexibility, and will provide additional resources to support our operations as our business continues to evolve.”

How Cybercriminals Attacked Target: Analysis

In the wake of the credit card data breaches at Target, Neiman Marcus, and possibly several other retailers around the country, much of the discussion has focused on point-of-sale malware, RAM scrapers in particular.
On January 12th, it was confirmed that the attackers behind the massive Target data breach had installed malware on Point of Sale (PoS) systems at retail locations across the country.
Over the past few days, a number of security vendors, along with the US government, have uncovered more details on the types of malware connected to these PoS attacks, including the breach at Target.
Target Store in USPiecing together analysis from various researchers reveals that the cyber-crime ring behind these attacks used a highly sophisticated set of tools to first intercept the payment data and then transfer the stolen information to servers controlled by the criminals. While it is still not known how the attackers broke into Target's network, or other retailers for that matter, in the first place, details are emerging about what steps the memory-parsing software took once inside.
“A new piece of malicious software, KAPTOXA, has potentially infected a large number of retail information systems,” said iSight Partners, a cyber-forensics company working with the U.S. Secret Service.
Scraping Memory For Data
RAM scrapers are different from other types of malware in that they look for data as they are stored temporarily in the computer's memory. In the case of a point-of-sale terminal, the malware can see and grab the data stored on the credit or debit card’s magnetic stripe the exact moment the shopper swiped the card through the card reader. Under the Payment Card Industry-Data Security Standard rules (PCI-DSS), payment card data has to be encrypted as quickly as possible so that the data is protected both at rest, such as on the hard drive, and in transit, when it is sent to the back-end servers for processing. The malware injects itself into running processes to identify credit card track data and copy it during that narrow window of opportunity before it is scrambled.
In Target's case, the malware began collecting data as soon as it infected the retailer's PoS terminals, but stayed under the radar for six days, said Aviv Raff, CTO of Seculert. The data was consolidated onto another compromised machine within Target's network.
It appears that around Dec. 2, a machine began transmitting the stolen information to a FTP server belonging to a hijacked website. The transmissions occurred several times a day, usually during prime business hours, over a period of two weeks, Seculert found. The criminals then downloaded the data files, which Seculert has estimated to be about 11 GB in size, onto another server based in Russia. That estimate comes from information found on the FTP access logs, Raff told SecurityWeek.
“The attackers were able to plant point-of-sale malware and intercept approximately 110,000,000 records worth of payments, transactions, and other personally identifiable data,” McAfee noted in its own analysis. 
While more people may be paying attention now because of the recent attacks, malware targeting point-of-sale terminals have actually been making the rounds for several years. The Verizon Data Breach Investigation Report highlighted attacks on point-of-sale systems as a major threat. The threat is also not limited to just retailers, as virtually any organization that deals with customer payment card data is vulnerable, such as hospitality and education sectors.
In an earlier story, SecurityWeek listed some recent breaches that leveraged memory-parsing malware. Sophos generally detects PoS RAM scrapers malware under the family name Trackr. Other PoS malware include ones such as Alina, Dexter and VSkimmer. According to researchers from McAfee, vSkimmer is a successor to Dexter and has more functionality than Dexter.
Visa warned about the Dexter malware in a December 2012 security advisory, and Arbor Networks posted a detailed analysis of Dexter late last year.
In January 2013, researchers from Sophos even found the Citadel crimeware targeting PoS systems, though Citidel uses screen captures rather than RAM Scraping techniques.
The increasing popularity of RAM scrapers and other memory-parsing malware among cyber-criminals is directly related to the fact that organizations are getting better about encrypting sensitive data, said Michael Sutton, vice-president of security research at Zscaler. “It's an arms race. We throw up a roadblock and the attackers adapt and look for other ways to grab the data," he said.
Point of Sale Malware Used Against Target, Installed on Registers
How POS Malware Works
Because PoS terminals are essentially just computers, many of them running versions of Microsoft Windows, there are many ways they can be infected. Considering most retailers generally have these systems on the same corporate network as all the other computers, the attacker can compromise any computer in order to reach the PoS system. This could have been Web-based attack or a malicious email attachment. It's too early to rule out the possibility of a rogue insider, where someone inside the company triggered the initial infection, as well.
The part where PoS malware, especially RAM scrapers, differ from run-of-the-mill malware is what it does once in the network.
Even though most PoS malware tend to follow the same workflow, RAM scrapers are “surprisingly diverse” in how they are implemented, wrote Vadim Kotov, a security researcher at Bromium. Regardless of type, memory-parsing malware first grabs everything in the computer's memory, and then performs a search through the dumped memory to identify what looks like payment card details.
Considering the number of PoS systems that have been compromised, it is likely the criminals accessed the update or control server for these systems, said Jeff Debrosse, director of security research at Websense.
"These attackers definitely used an ‘infect once, deploy everywhere’ strategy that was incredibly effective," Ken Westin, a security researcher with Tripwire, told SecurityWeek.
Generally a scraper has either a hardcoded list of processes to scan or a blacklist of processes, Kotov wrote. Once the memory or buffer has been dumped, the malware's search algorithm takes over to detect the valuable bankcard data. There are many approaches, but Kotov noted that Dexter simply searched for the ‘=’ character and then looked at 16 bytes before and 20 bytes after to identify the data, Kotov said. Once the data is found, the malware copies it on to its own list. After that, it's just a matter of transferring the list out of the network into the criminals' hands.
“Hiding and transmitting collected payment card information to evade antivirus detection is a relatively staple exercise for modern malware,” Debrosse said.
Based on Existing Crimeware
Just like any other malware type, PoS malware can be customized and tricked out with more features than a garden-variety Trojan, but some are created from toolkits and have off-the-shelf capabilities. The malware that infiltrated Target appears to be related to BlackPOS, a “relatively crude but effective” cybercrime kit sold in underground forums, according to security writer Brian Krebs.
Researchers from security intelligence firm IntelCrawler believe the author of the BlackPOS crimeware kit is a 17-year old living in Russia.
The “budget” version of the crimeware costs $1,800 in underground market, while the “full” version costs $2,300 and has more features, such as the ability to encrypt stolen data, according to Krebs, However, the malware was customized for the specific environment, and obfuscated to avoid detection. In fact, as of Thursday, none of the 40+ tools listed on VirusTotal detect the two malicious files used in the Target attack, Krebs noted.
Even if the organization has antivirus installed on endpoint systems—which they have to in order to comply with PCI-DSS—the fact that attackers are utilizing advanced techniques to evade detection means some infections aren't detected right away.
"Updating antivirus is reactive and simply will not stay ahead of malware threats that create 250,000 new malware variants a day," said Anup Ghosh, CEO of Invincea. PCI-DSS standards need to be updated so that it doesn't emphasize antivirus so heavily, he said.
Even US-CERT was still advising retailers to update their antivirus signatures in its alert just a little more than a week ago.
“What this compromise points to is that detecting the threat on the network is no longer sufficient to prevent breach of data,” Ghosh said.
Looking for Signs of a Breach
Signs are pointing to the fact that this was a broad and highly sophisticated attack, and Target was just one of the victims. Retailers—actually, anyone with a PoS system and processing payments—may have been compromised and need to investigate their networks.
On Thursday, CrowdStrike released Yara and Snort indicators and signatures to detect known components of BlackPOS malware used to steal the payment card details from PoS systems as well as the exfiltration tools that was used to transfer the stolen data. These rules are designed to detect generic variants of the malware and not just the specific version used for Target.  
Tripwire’s has also developed and released rules for Tripwire Enterprise customers that will check for known markers of compromise of the point-of-sale malware they classify as Trojan.POSRAM and Infostealer.Reedum that has retailers.
This is "actionable intelligence that potential other victims can use to detect signs of similar breaches on their network," said Dmitri Alperovitch, CTO of Crowdstrike.
An advisory from the National Cybersecurity and Communications Integration Center (NCCIC), United States Secret Service, FS-ISAC and iSIGHT Partners, includes technical analysis of PoS Malware along with indicators to assist network defenders.
"While some components of the POS data breaches were not technically sophisticated, the operational components were," the group report concluded. "The cyber criminals displayed innovation and a high degree of skill in orchestrating the various components of the breaches."

EE admits Bright Box router security flaw

EE Bright Box router
EE has confirmed reports that its Bright Box home router tool has a security flaw that could be used to expose account owners' personal information.
Security researcher Scott Helme revealed the flaw in a detailed blog post, explaining that he had uncovered the issue after he was given the Bright Box router when he started using a home broadband service from EE.
“The engineer came out and connected my fibre broadband (FTTC) and, as with all new devices on my network, I decided to take a closer look at the traffic going to and from the device,” he said.
“It became apparent that the device leaks access to all kinds of sensitive data to clients on the network and there’s also the possibility to exploit this remotely.”
He explained that this could have serious repercussions. “It discloses the password of the EE account holder so I can call EE and pass account security, leaving me in a position to go as far as cancelling someone else’s broadband package altogether,” he wrote.
EE questioned this claim, though, claiming that cancelling an account requires more information than just a email or username.
The firm did acknowledged the wider security issues, though, although it downplayed its severity, as it plans to issue a firmware update for all its customers.
“As is the case for all home broadband customers, regardless of their provider, it is recommend they only give network access to people they trust. Customers should also be suspicious of any unsolicited emails and webpages, and keep their security software up to date,” the firm said.
“We treat all security matters seriously. No personal data will be compromised by the device itself. We would like to reassure customers that we are working on a service update, which we plan to issue shortly, and which will remotely and automatically update customers’ Bright Boxes with enhanced security protection.”
Although the fix is said to be arriving soon, Helme noted at the end of his post that he informed both the CEO and CTO of EE of the issue and was told by security staff that a fix would be arrive in December. Because of this he felt compelled to release the information after no update was issued.

Microsoft plugs Office 365 vulnerability that risked email security

Office 365 logo
Microsoft has fixed a cross-site scripting vulnerability in Office 365, which could theoretically have been exploited by hackers to obtain full control of a company's email environment.
The issue was reported by the co-founder of security firm Cogmotive, Alan Byrne, in a post on the company blog. "I recently discovered a serious cross-site scripting (XSS) vulnerability in Microsoft Office 365 whilst doing a security audit of our own Microsoft Office 365 Reporting Application," he wrote.
"Any person with a mailbox in a company using Office 365 could exploit this vulnerability to obtain full administrative permissions over their entire company's Office 365 environment using just a few lines of JavaScript."
Byrne proved the vulnerability could be exploited by posting a video guide explaining it on YouTube. He said: "At its core the exploit uses a simple cross-site scripting vulnerability in the Microsoft Office 365 Administration portal. The portal was not correctly escaping user and mailbox information, which it read out of Windows Azure Active Directory."
The Cogmotive co-founder said he had followed responsible disclosure protocol and had alerted Microsoft about the flaw before publishing his research.
"Obviously, this is a very serious security issue and I immediately reported it to Microsoft like a good white hat on 16 October 2013. We shared all of our research with the Microsoft Security team who soon confirmed the issue," he wrote.
"It was resolved by 19 December 2013 and they have graciously allowed me to detail my findings publicly in this article."
At the time of publishing Microsoft had not responded to V3's request for comment on Byrne's research.
The Office 365 vulnerability is one of many recently discovered in Microsoft's systems and services as the firm faces a number of security issues, not least the continued hacking of its social platforms by the Syrian Electronic Army.
The SEA has been targeting Microsoft for the past few weeks claiming the cyber raids are designed to "punish Microsoft" for its supposed involvement in the National Security Agency's (NSA) PRISM campaign.