Wednesday, 16 July 2014

Mandatory data breach laws back on Australian agenda

Australia's on-again, off-again debate about data breach notification laws is on again, courtesy of a report into financial system regulation, at least until the government cans the idea (again).
Register readers will recall that a Privacy Alerts bill was proposed by the previous government before the 2013 election, then delayed, re-introduced in March, and abandoned in June by the current government.
Now, the federal government's Financial System Inquiry has issued an interim report (PDF) that recommends the government re-examine the issue.
As the report states “Access to growing amounts of customer information and new ways of using it have the potential to improve efficiency and competition, and present opportunities to empower consumers. However, evidence indicates these trends heighten privacy and data security risks”.
To cover these risks, the report unequivocally backs “mandatory data breach notifications to affected individuals and the Australian Government agency with relevant responsibility under privacy laws”.
At the same time, the report seems to take issue with current attitudes to cloud computing – particularly in relation to offshore storage of Australian data. The Australian Prudential Regulatory Authority, it says, should be advised of “continuing industry support for a principles-based approach to setting cloud computing requirements”, and the government should review record keeping rules that currently inhibit “cross-border information flows”.
Digital identities are also highlighted in the report, with the government urged to pursue “a national strategy for promoting trusted digital identities”.
The FSI is seeking comment on the interim report until 26 August 2014, and has until November 2014 to issue its final report

Flaw in Google's Dropcam sees it turned into SPYCAM

Hackers could inject fake video into popular home surveillance kit Dropcam and use the system to attack networks, researchers Patrick Wardle and Colby Moore say.
The wide-ranging attacks were tempered by the need for attackers to have physical access to the devices but the exploits offer the chance to inject video frames into cameras - handy for home robberies - intercept video, and exploit the Heartbleed vulnerability to pull passwords and SSL server's private key.
Dropcam makes a video monitoring platform and was last month snapped up by Google's Nest Labs for $US555 million.
Wardle (@patrickwardle) and Moore (@colbymoore) of security firm Synack, California, reverse-engineered Dropcam hardware and software and discovered vulnerabilities that could allow malware to be implanted on the devices which would attack home or corporate networks.
"If someone has physical access, it's pretty much game over," Wardle told DarkReading.
"The camera is vulnerable to client-side Heartbleed attacks. You could spoof the Dropcam DNS server, and the camera would beacon out."
The duo will describe how Dropcam could morph into an attack point within a users' network during a talk Optical surgery; Implanting a Dropcam at the upcoming DEF CON 22 conference in Las Vegas next month.
They would recount their reverse-engineering effors which lead to the "full compromise of a DropCam" that with physical access and "some creative hardware and software hacks" would allow any malware to be persistently installed on the devices. The duo would also reveal how to infect Windows or Mac OS X boxes that were used to configure hacked Dropcams.
Wardle said the cameras should be subject to the same security checks as regular computers given their capabilities and vulnerabilities.
Dropcam was found to be running Heartbleed-vulnerable versions of OpenSSL and the Unix utility suite BusyBox

GCHQ leak lists UK cyber-spies' hacking tools

More than 100 codenamed projects are defined in the leaked GCHQ document
A document that appears to list a wide variety of GCHQ's cyber-spy tools and techniques has been leaked online.
It indicates the agency worked on ways to alter the outcome of online polls, find private Facebook photos, and send spoof emails that appeared to be from Blackberry users, among other things.
The document is alleged to have been among those leaked by former US intelligence analyst Edward Snowden.
One expert said the release, published on the site Intercept, was "damaging".
Alan Woodward, a security consultant who has done work for GCHQ, the UK's intelligence agency, said: "If you read the mission statement of any signals intelligence organisation, all the listed techniques are what you'd expect them to be doing.
"But it's very unhelpful for the details to leak out because as soon as you reveal to people how something is being done they can potentially take steps to avoid their information being collected.
GCWiki The leaked document lists the techniques in the style of the online encyclopaedia Wikipedia
"We've already seen it happen when various forms of interception were revealed previously with the Snowden leaks."
Glenn Greenwald, the journalist who published the latest document, noted in his article that an earlier inquiry by the European Parliament's Civil Liberties Committee had called into question the "legality, necessity and proportionality" of the data-collection activities of GCHQ and the US National Security Agency (NSA), for which Mr Snowden worked.
He also highlighted that the article's publication coincided with the start of a legal challenge brought by Privacy International, Liberty and other civil rights groups that claimed the UK's security agencies had acted unlawfully.
However, GCHQ denies it is at fault.
"It is a longstanding policy that we do not comment on intelligence matters," it said in a statement.
"Furthermore, all of GCHQ's work is carried out in accordance with a strict legal and policy framework which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the secretary of state, the interception and intelligence services commissioners and the Parliamentary Intelligence and Security Committee."
Swamp donkey More than 100 projects are included in the document, which appears to be from a Wikipedia-style listing for GCHQ's Joint Threat Research Intelligence Group.
Second Life The leak indicates that GCHQ created a tool to help agents make use of Second Life
Many involve eccentric codenames.
For example, the ability to send an audio message to a large number of telephones and/or "repeatedly bomb" a target number with the same message is called Concrete Donkey - the name of a weapon in the video game Worms.
Other examples include:
  • Angry Pirate - a tool to permanently disable a target's account on their computer
  • Bomb Bay - the capacity to increase website hits/rankings
  • Cannonball - the ability to send repeated text messages to a single target
  • Gestator - a tool to make a message, normally a video, more visible on websites including YouTube
  • Glitterball - software to help agents carry out operations in Second Life and other online games
  • Birdstrike - Twitter monitoring and profile collection
  • Fatyak - public data collection from the business-focused social network LinkedIn
  • Spring Bishop - a tool to find private pictures of targets on Facebook
  • Changeling - the ability to spoof any email address and send messages under that identity
  • Bearscrape - a tool to extract a computer's wi-fi connection history
  • Miniature Hero - the ability to source real-time call records, instant messages and contact lists from Skype
  • Swamp donkey - a way to send a modified Excel spreadsheet document that silently extracts and runs malware on the target's computer
  • Underpass - a tool to change the result of online polls
Some of the schemes are listed as being operational while others are said to be still at the design, development or pilot stages.
Analysis: Gordon Corera, security correspondent
Data analyst
The latest revelations suggest that GCHQ is developing a wide range of capabilities which go beyond the simple gathering of information and into the realms of covert action.
This is another traditional part of the work of spy agencies but one they prefer to keep clandestine and therefore "deniable".
According to the documents, this appears to range from disrupting an individual's online activity to broader "information operations" to influence opinion in other countries.
What is not clear from the document is how far these capabilities have actually been deployed and put into action and against whom.
Almost every state is secretly developing capabilities to disrupt their opponents in cyberspace but they do not like talking about them or having them revealed in public.
'Chinese menu' It is not clear exactly how out-of-date the list is.
The document states it was last modified in July 2012, but includes a note saying: "We don't update this page anymore, it became somewhat of a Chinese menu for effects operations."
Staff are instead directed to an alternative page, which has not been leaked.
"The accusation that GCHQ has been manipulating polls and influencing and distorting political discourse is incredibly serious," said Emma Carr, acting director of the Big Brother Watch campaign group.
"The UK is always the first to point the finger at countries if there is a whiff of corruption or interference within a democratic process, so if senior ministers are aware that this is taking place then this absolutely stinks of hypocrisy.
"It is essential that the government directly addresses these accusations, otherwise they are at risk of losing the international moral high ground."

CNET attacked by Russian hacker group

Photo of message exchange between CNET and wOrm  
CNET was informed about the hack attack via a Twitter conversation
A Russian hacker group has attacked the news site CNET. It later said it stole usernames, encrypted passwords and emails for more than one million users.
CNET said a representative from the group - which calls itself 'w0rm' - informed it about the hack via a Twitter conversation.
A spokeswoman for CBS Interactive - the owner of CNET - said the firm had "identified the issue and resolved it".
According to CNET, w0rm offered to sell the database for 1 Bitcoin, or $622.
But it added that the hacking group said the plan to sell the database was to gain attention and "nothing more".
Improve security? The representative of the group claimed that it hacked CNET servers to improve the overall security on the internet.
The group has claimed to have successfully hacked the BBC last year, as well as websites of Adobe and Bank of America.
It says that by targeting high-profile websites it can raise awareness of security issues.
"[W]e are driven to make the Internet a better and safer [place] rather than a desire to protect copyright," the representative said in a Twitter exchange with CNET.
On Monday, the representative offered a security solution to CNET by tweeting: "#CNET I have good protection system for u, ping me".
According to CNET, 27.1 million unique users visited its desktop and mobile sites in the US in June this year.