What you need to know for your personal cyber security life…
Second in a series of daily current and topical computer threats that may affect your online, or even offline, digital and real life.
# # #
Encrypted messaging startup Wickr offers $100K bug bounty
By Jeremy Kirk
IDG News Service
January 15, 2014
Two-year-old startup Wickr is offering a reward of up to US$100,000 to anyone who can find a serious vulnerability in its mobile encrypted messaging application, which is designed to thwart spying by hackers and governments.
The reward puts the small company in the same league as Google, Facebook and Microsoft, all of which offer substantial payouts to security researchers for finding dangerous bugs that could compromise their users’ data.
Wickr has already closely vetted its application so the challenge could be tough. Veracode, an application security testing company, and Stroz Friedberg, a computer forensics firm, have reviewed the software, in addition to independent security researchers.
In a statement, Wickr said “we expect finding critical vulnerabilities in Wickr to be difficult and are honored to work with those that do.”
# # #
t’ about cyber crime and terror risks, says Aon
By Judith Ugwumadu
15 JANUARY 2014
Aon Global Risk Consulting conducted a new survey that assessed organisations’ attitudes to top threats in the insurance industry following the results of its biennial report Global risk management survey published last year.
Concerned that the survey underrated cyber crime as a risk, giving it only 18th place in the rankings, Aon polled more than 100 directors to get a more ‘holistic’ view of industry perceptions.
This found that 83% of captive directors agreed that this ranking was ‘severely’ or ‘perhaps’ under-rated.
‘Successful business are increasingly using technology to increase sales, maximise efficiency and reduce expenses, but evolving technologies such as cloud computing and social media increase a business’s risk to cyber theft, fraud and sabotage,’ said Rory Moloney, chief executive of Aon Global Risk Consulting.
# # #
A First Look at the Target Intrusion, Malware
By Brian Krebs
Krebs on Security
January 15, 2014
Last weekend, Target finally disclosed at least one cause of the massive data breach that exposed personal and financial information on more than 110 million customers: Malicious software that infected point-of-sale systems at Target checkout counters. Today’s post includes new information about the malware apparently used in the attack, according to two sources with knowledge of the matter.
In an interview with CNBC on Jan. 12, Target CEO Gregg Steinhafel confirmed that the attackers stole card data by installing malicious software on point-of-sale (POS) devices in the checkout lines at Target stores. A report published by Reuters that same day stated that the Target breach involved memory-scraping malware.
This type of malicious software uses a technique that parses data stored briefly in the memory banks of specific POS devices; in doing so, the malware captures the data stored on the card’s magnetic stripe in the instant after it has been swiped at the terminal and is still in the system’s memory. Armed with this information, thieves can create cloned copies of the cards and use them to shop in stores for high-priced merchandise. Earlier this month, U.S. Cert issued a detailed analysis of several common memory scraping malware variants.
Target hasn’t officially released details about the POS malware involved, nor has it said exactly how the bad guys broke into their network. Since the breach, however, at least two sources with knowledge of the ongoing investigation have independently shared information about the point-of-sale malware and some of the methods allegedly used in the attack.
# # #
Tech Security Upstarts Enter Fray
By Nicole Perlroth
The New York Times
JAN. 14, 2014
SAN FRANCISCO — Steve Bennett, the chief executive of the computer security company Symantec, is spoiling for a fight.
Symantec is still, by a pretty long stretch, the biggest in a growing pack of tech security companies. But like Microsoft, Mr. Bennett’s company is sometimes viewed as an aging, if still wealthy, outfit that can’t keep up with a new generation. And no one in the technology industry likes being labeled the old, slow rich guy.
Particularly when $67 billion is up for grabs. That’s how much companies were expected to spend last year on computer security.
But younger outfits with names like FireEye and Palo Alto Networks are now competing with Symantec and its longtime rival McAfee, which is now part of Intel, for a greater share of a market that is expected to swell to $87 billion by 2016, according to Gartner, a research firm.
The pitch from the new companies is simple: Conventional security defenses — like those that the antivirus software of Symantec and McAfee built their brands upon, as well as the network firewalls of Check Point and Cisco — have proved vulnerable to determined adversaries. The biggest problem with that older technology, they say, is that it reacts to threats rather than anticipating them.
# # #
Oracle spoils your day with NEARLY 150 patches
By Richard Chirgwin
16th January 2014
Systems administrators who decided it would be a quiet week were wrong: Oracle has flicked out more than a hundred security patches, and when you’re finished, it’ll be time to round up any Blackberry users in the company and apply some patches for them.
Let’s start with Oracle, which among other things is taking another stab at securing Java, fixing 36 vulnerabilities of which 34 are “remotely exploitable without authentication”. All but one are client-side vulnerabilities, and ten of them are rated by Oracle at 9.3 or 10 on its vuln scale.
Once they’ve finished dealing with the Java fixes, weary sysadmins can then work on five database server patches (only one remote-without-authentication)
There are also eleven Solaris operating system patches, nine virtualization patches, and 18 MySQL server patches.
# # #
So You Found An Obamacare Website Is Hackable. Now What?
By Kashmir Hill
Two months ago, L.A.-based security researcher Kristian Erik Hermansen was signing up for Obamacare via the Covered California site. Given his background in finding vulnerabilities in software and websites, spotting security flaws is second nature to him so he couldn’t help but notice problems with the California site, which has seen the most registrations for healthcare in the country.
The technical problems with the website set up for the Affordable Care Act have been well-documented and security flaws have been discovered. When critics started calling the main federal Obamacare site a “hacker’s dream” though, people rightly pointed out that the more sensitive information — social security numbers, incomes, and birth dates — is instead in the hands of the state-level portals. That of course is exactly what the Covered California site is. Hermansen discovered a vulnerability that would allow someone to take over another person’s account on the California site, and review or change the information entered there. He tried contacting Covered California “at least 15 times” by email, phone or chat about the problem, but got no response for over a month. “They must have been overwhelmed by people seeking help with the site,” he says.
On December 24, he finally got through by phone to a Covered California representative and he explained the issues he’d found, but they remained unfixed and he didn’t hear back from them. Given that it was Christmas, that’s not terribly surprising. But Hermansen, frustrated that the flaw had been out there for over a month already, decided two days later to release a video of the exploit to YouTube and posted it to a security sub-Reddit. That got the attention of a Covered California lawyer who contacted him to take the video down, and also flagged it with YouTube; it was soon removed. The lawyer’s tone was contrite in the email. “I am sorry no one responded to you earlier,” he wrote. “We will have to figure out where or how your prior message to us got lost.”
Hermansen then spoke by phone to the lawyer and a chief security person. “They were not interested in talking about the security issues but about getting the video or any other online mention of the flaw taken down,” he says.
# # #
Huawei denies US compromise
d equipment security
AFP, Fairfax Media
January 16, 2014
Chinese tech giant Huawei, which has long been dogged by security suspicions, has denied a report its telecommunications network equipment had been compromised by US spies.
There have been “no network incidents caused by security reasons”, Huawei chief financial officer Cathy Meng said.
Meng was asked specifically about a report late last month in the German magazine Der Spiegel that technology companies including Huawei had their products penetrated by the US National Security Agency (NSA).
“Those accusations are groundless and we do not agree with that,” she said.
Der Spiegel cited what it said were internal NSA documents for its report.
# # #