What you need to know for your personal cyber security life…
Third in a series of daily current and topical computer threats that may affect your online, or even offline, digital and real life.
# # #
Documents and plans relating to the F-35 Joint Strike Fighter have been recovered from shipping containers destined for Iran
JANUARY 15, 2014
THE secret plans for America’s – and Australia’s – next stealth fighter have been recovered from boxes labelled “household goods” on their way to Iran.
It’s just the latest scare for the troubled multi-billion dollar Joint Strike Fighter F-35 Lightning II program.
It’s turned out to be the most expensive defence program in history, costing about $400 billion so far. Tens of more billions are expected to be spent in ironing out the many problems with its ultra-advanced electronics.
Mozaffar Khazaee was arrested last week as he attempted to board a flight to Germany which then went to Iran. The 44 boxes had been forwarded a week earlier via a shipping company.
The secret material found within included “sensitive technical manuals, specification sheets, and other proprietary material”, according to a US Homeland Security affidavit.
The thousands of pages were bundled within dozens of manuals and binders. The packaging note described them as “books and college-related items”.
# # #
UK critical infrastruc
ture at risk from SCADA security flaw
By Alastair Stevenson
16 Jan 2014
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has called for businesses involved in critical infrastructure to be extra vigilant as it investigates a potential critical flaw in a commonly used SCADA system.
ICS-CERT issued the warning in a security advisory after security researcher Luigi Auriemma uncovered a vulnerability that left many of the world’s SCADA systems at risk.
“ICS-CERT is aware of a public report of a buffer overflow vulnerability with proof-of-concept (PoC) exploit code affecting Ecava IntegraXor, a supervisory control and data acquisition/human-machine interface (SCADA/HMI) product,” said the advisory.
“IntegraXor is currently used in several areas of process control in 38 countries with the largest installation based in the United Kingdom, United States, Australia, Poland, Canada, and Estonia. ICS-CERT recommends that users take defensive measures to minimise the risk of exploitation of these vulnerabilities.”
# # #
ATMs Face Deadline to Upgrade From Windows XP
By Nick Summers
January 16, 2014
One-dollar bills. Envelope-free deposits. Stamp dispensers. These are a few of the features that Wells Fargo (WFC), Bank of America (BAC), JPMorgan Chase (JPM), and other banks tout as the latest and greatest features of their fleets of ATMs. It’s hardly stuff to set the heart racing.
When ATMs were introduced more than 40 years ago, they were considered advanced technology. Today, not so much. There are 420,000 ATMs in the U.S., and on April 8, a deadline looms for nearly all of them that underscores how sluggishly the nation’s cash delivery system moves forward. That’s the day Microsoft (MSFT) cuts off tech support for Windows XP, meaning that ATMs running the software will no longer receive regular security patches and won’t be in compliance with industry standards. Most machines that get upgraded will shift to Windows 7, an operating system that became available in October 2009. (Some companies get a bit of a reprieve: For ATMs using a stripped-down version of XP known as Windows XP Embedded, which is less susceptible to viruses, Microsoft support lasts until early 2016.)
Inside every ATM casing is a computer, and like all such devices, each one runs on an OS. Microsoft’s 12-year-old Windows XP dominates the ATM market, powering more than 95 percent of the world’s machines and a similar percentage in the U.S., according to Robert Johnston, a marketing director at NCR (NCR), the largest ATM supplier in the U.S.
The many offshoots of the country’s jumbled ATM network, ranging from convenience stores that operate a single antiquated cash machine to national banks that oversee tens of thousands of terminals, are feeling the deadline in different ways, says Suzanne Cluckey, the editor of ATM Marketplace, a news site that serves the industry. More advanced ATM fleets can do the update over their networks. Older ATMs must be upgraded one by one or even replaced entirely if they don’t have enough computing power to run the newer, more demanding software. “My bank operates an ATM that looks like it must be 20 years old, and there’s no way that it can support Windows 7,” says Cluckey. “A lot of ATMs will have to either have their components upgraded or be discarded altogether and sold into the aftermarket—or just junked.”
Aravinda Korala, chief executive officer of ATM software provider KAL, says he expects only 15 percent of bank ATMs in the U.S. to be on Windows 7 by the April deadline. “The ATM world is not really ready, and that’s not unusual,” he says. “ATMs move more slowly than PCs.” While ATMs seem to be everywhere, their total number—an estimated 3 million worldwide, according to consulting firm Retail Banking Research—isn’t very many compared with the global base of Windows users. As a rule, security patches that directly affect the machines might be issued only once a quarter, Korala says.
# # #
.gov riddled with flaws that could expose user data, experts say
By Dan Goodin
Jan 16 2014
The federal government’s HealthCare.gov website continues to be riddled with flaws that expose confidential user data to the public, a security expert testified Thursday at a hearing on Capitol Hill.
David Kennedy, founder of security firm TrustedSec, told members of the House of Representatives Science Committee that only one of 18 issues he reported in November had been fixed, and even then he identified ways that attackers could bypass the remedy. Kennedy didn’t discuss specifics of the vulnerabilities out of concern that details would make it easier for criminals to exploit the weaknesses. Generally, he said some of the weaknesses leaked usernames, e-mail addresses, and other data contained in user profiles onto the open Internet, making it possible for unauthorized people to access the information using Google or other search engines. The testimony came as top security officials from the US Department of Health and Human Services (HHS), which helps oversee HealthCare.gov, were appearing before a separate House hearing.
“TrustedSec cannot state with 100 percent certainty that the back-end infrastructure is vulnerable,” Kennedy wrote in a statement submitted in advance of Thursday’s proceedings. “However, based on our extensive experience performing application security assessments for over 10 years, the website has the symptoms that lead to large-scale breaches for large organizations. Also note that all exposures have been reported, and TrustedSec would be more than willing to have discussions with HHS to address the security concerns.”
HealthCare.gov is the portal website that administers Obamacare in 36 states. The difficulty it had scaling to levels of even basic public interest during its rollout in October badly tarnished what is arguably President Obama’s signature legislation. Shortly after the launch, Kennedy and several other security experts also criticized the site for failing to follow established practices for protecting user data. In November, Kennedy warned of 18 vulnerabilities. Since then, he said he has learned of at least 20 more from fellow researchers.
# # #
Breach at Neiman Marcus Went Undetected From July to December
By Nathaniel Popper
The New York Times
Jan. 16, 2014
The computer network at Neiman Marcus was penetrated by hackers as far back as July, and the breach was not fully contained until Sunday, according to people briefed on the investigation.
The company disclosed the data theft of customer information late last week, saying it first learned in mid-December of suspicious activity that involved credit cards used at its stores. It issued another notice on Thursday, elaborating slightly.
The latest notice said that “some of our customers’ payment cards were used fraudulently after making purchases at our stores. We have taken steps to notify those affected customers for whom we have contact information.”
The company apologized again, and said it did not believe the customers’ Social Security numbers or birth dates — key pieces of personal data — had been compromised.
# # #
Cyber Security Challenge CEO hits back at KPMG’s ‘lack of credible candidates
By Sooraj Shah
16 Jan 2014
The CEO of the Cyber Security Challenge, Stephanie Daman, has hit back at claims that the series of national events designed to encourage talented professionals to join the UK IT security sector has failed to attract suitable candidates.
KPMG’s UK head of cyber security, Martin Jordan, said that the ‘Big Four’ professional services firm had to scale down its sponsorship of the challenge because of a lack of credible talent for the firm to recruit.
“We’ve drawn down our involvement this year, sadly we didn’t see the CVs coming through and the sponsorship is quite expensive – we are a business,” he said.
Stephen Bonner, a partner in the information protection side of KPMG, said that the challenge did not appropriately reflect what a role in cyber security entails, but said that it had worked in growing awareness of cyber security as a profession. He also sympathised with the event organisers, suggesting that it is not the role of CSC to be a recruitment agency.
# # #