Oracle fixes critical flaws in Database Server, MySQL, Java

Oracle fixes critical flaws in Database Server, MySQL, Java

Oracle fixed 154 vulnerabilities in its latest Critical Patch Update release, eight of which were in Oracle Database Server, 30 in MySQL, and 25 in Java SE. Oracle said 84 of the vulnerabilities fixed in 54 different products were critical, as they may be exploited remotely without authentication.

The October 2015 Critical Patch Update include a number of fixes for “very severe vulnerabilities,” but none has yet been exploited in the wild, wrote Eric Maurice, software security assurance director at Oracle. “However, it is our experience that malicious actors will often attempt to reverse-engineer fixes to develop exploit code in an attempt to attack organizations lagging behind in their patching effort,” Maurice warned.

[ Deep Dive: How to rethink security for the new world of IT. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

Of the Oracle Database vulnerabilities, seven were for Oracle Database Server and one was for Oracle Database Mobile/Lite Server. The most severe vulnerability was in Oracle Database Server’s Portable Clusterware component, with a CVSS Base Score of 10.0. This means the bug could be remotely exploited over the network without needing a username and password, resulting in a full compromise of the targeted system. Three other critical vulnerabilities, all with the CVSS Base Score of 9.0, could affect the Database Scheduler and Java VM components. The vulnerabilities don’t apply to client-only database installations where the Oracle Database Server is not installed.

Oracle also fixed 30 security flaws in the MySQL database, two of which were remotely exploitable without authentication. The most severe flaw affected the MySQL Enterprise Monitor component and could lead to a complete takeover of the targeted system if the component ran with administrator or root-level privileges. The bug’s CVSS Base Score dropped from 9.0 to 6.5 if the MySQL Enterprise Monitor ran with non-administrator privileges, as attackers would only get partial control of the targeted system, Oracle said in its advisory.

In addition, this update fixed older vulnerabilities in the libcurl library 7.17.1 through 7.42.1 (CVE-2014-3707, CVE-2014-8150, CVE-2015-3153 and CVE-2015-3236), which could result in Carriage Return/Line Feed (CRLF) injection attacks. Also known as an HTTP Response Splitting attack, these flaws could be exploited to inject arbitrary HTTP headers and obtain sensitive information by reading header contents.

Java is a popular attack vector for attackers, so the CPU is even more critical for organizations relying on Java. The latest update patched 25 vulnerabilities in Java, of which 24 allowed for remote execution. Seven vulnerabilities in Java SE and Java SE Embedded versions 6 to 8 had a CVSS Base Score of 10.0. The flaws, present in various libraries and multiple subcomponents, including CORBA, RMI, Serialization, and 2D, applied to client-side Java alone. They could be exploited only through sandboxed Java Web Start applications and sandboxed Java applets, Oracle said.

The CVSS Base Scores assume the user running a Java applet or Java Web Start application has administrator privileges, which is a common scenario on Windows. If the application is not running with administrator privileges -- more typical on Solaris and Linux -- the CVSS scores drop and the attackers would get only partial control of the targeted system, Oracle said in the advisory.

A separate flaw in the JavaFX subcomponent (CVE-2015-4901), applied to both client and server deployments. It could be exploited through sandboxed Java Web Start applications and Java applets, as well as by supplying data to APIs in the specified Component through a Web service.

Twenty of the vulnerabilities were browser-based. Users should use only the default Java Plug-in and Java Web Start from the latest JDK or JRE 7 and 8 releases, Oracle said.

Oracle recommended that organizations apply the CPU as soon as possible because of the threats, but said it was possible to reduce the risk of successful attack by blocking the network protocol required by the attack. The most severe database vulnerability uses the OracleNET protocol, but it doesn’t make sense to apply this workaround for MySQL, which relies on HTTP. Some of the critical bugs become less severe if certain privileges or access to certain packages are revoked. Since these workarounds can break application functionality, Oracle recommended testing changes on nonproduction systems first.

“Neither approach should be considered a long-term solution as neither corrects the underlying problem,” Oracle said.

Oracle pushes out security fixes for its product portfolio on a quarterly basis. This quarter’s CPU is not significantly different in size from past updates. The July update included fixes for 193 vulnerabilities, while the January update fixed 169 vulnerabilities, The April update was the smallest in 2015, with fixes for 98 vulnerabilities.

Oracle’s next scheduled update is Jan. 19, 2016.

This story, "Oracle fixes critical flaws in Database Server, MySQL, Java" was originally published by InfoWorld.

Hackers infect MySQL servers with malware for DDoS attacks

Hackers infect MySQL servers with malware for DDoS attacks

Hackers are exploiting SQL injection flaws to infect MySQL database servers with a malware program that's used to launch distributed denial-of-service (DDoS) attacks.
Security researchers from Symantec found MySQL servers in different countries infected with a malware program dubbed Chikdos that has variants for both Windows and Linux.
This Trojan is not new and was first documented in 2013 by incident responders from the Polish Computer Emergency Response Team (CERT.PL). At that time the malware was being installed on servers after using brute-force dictionary attacks to guess SSH (Secure Shell) login credentials.
However, the new attacks observed by Symantec abuse the user-defined function (UDF) capability of the MySQL database engine. UDF allows developers to extend the functionality of MySQL with compiled code.
Symantec believes that attackers exploit SQL injection vulnerabilities in order to inject malicious UDF code in databases. They then use the DUMP SQL command to save the injected code as a library file that is later executed by the MySQL process.
The malicious UDF code downloads and installs the Chikdos Trojan, which allows attackers to abuse the server's bandwidth for DDoS attacks.

The Symantec researchers found MySQL servers infected with Chikdos in many countries, including India, China, Brazil, Netherlands, the U.S., South Korea, Mexico, Canada, Italy, Malaysia, Nigeria and Turkey. The largest concentrations were in India and China, 25 and 15 percent respectively.
During their analysis the researchers saw the servers being used to launch DDoS attacks against a U.S. hosting provider and a Chinese IP address.

The reason for targeting MySQL servers is likely because their bandwidth is considerably larger than that of regular PCs, making them more suitable for large DDoS campaigns, the Symantec researchers said in a blog post.

To prevent such attacks, website owners should avoid running SQL servers with administrative privileges and should follow best programming practices for mitigating SQL injection vulnerabilities, they said.

Second Teen Arrested Over Cyber-Attack on UK's TalkTalk

Second Teen Arrested Over Cyber-Attack on UK's TalkTalk

A second teenager has been arrested in connection with a cyber-attack on British Internet and telephone provider TalkTalk that put millions of customers' data at risk, police said Friday.

The 16-year-old boy from Feltham in west London was held on suspicion of computer misuse after a search of his home on Thursday.

Earlier this week, a 15-year-old boy was arrested in a raid in Northern Ireland and released on bail.

The personal data of some four million TalkTalk customers are feared to have been compromised in the third cyber-attack on the firm in eight months in which customers' data have been stolen.

The company has said it is unsure how many people were affected, but said that information including customer names, addresses and bank details could be at risk.

It described the attack as "significant and sustained" and said that not all customers' data were encrypted.

Police are investigating a ransom demand that was sent to TalkTalk purporting to be from the hacker, though the firm is unsure if the demand for money was genuine.

Google Slams Symantec for Issuing Fake Web Certificates, Demands Answers

Google Slams Symantec for Issuing Fake Web Certificates, Demands Answers

Google is demanding that Symantec must conduct an assessment to ensure it is still eligible to run a certificate authority. The search giant's scathing statement comes after the security firm was found to have issued a large number of fake digital certificates.

In mid-September, upon Google's notification, Symantec revealed that its Thawte certificate authority (CA) issued an Extended Validation (EV) pre-certificate for several domains including Google's and Opera's. A total of 23 certificates were issued without the domain owners' knowledge. At the time, Symantec said that these certificates were only created for testing purposes, and were accidentally issued. Google found these domains in its Certificate Transparency system logs.

Following this discovery, Google asked Symantec to conduct a full audit. Upon investigation, Symantec reported an additional 164 bogus certificates spanning 76 domains, and an additional 2,400 test certificates for unregistered domains. The practice of issuing certificates for unregistered domains has been prohibited since April 2014.

In September, the security firm also fired a number of its employees for errors in issuing certificates. The company had said that "employee error" caused cryptographic certificates to be issued online.

The fake certificates, according to Google, make it possible for attackers to impersonate its as well as many other's websites, potentially leading to data theft and other cybercrimes. "It's obviously concerning that a CA would have such a long-running issue and that they would be unable to assess its scope after being alerted to it and conducting an audit. Therefore we are firstly going to require that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency," wrote Ryan Sleevi, Software Engineer at Google in a blog post on Wednesday.

"In this case, logging of non-EV certificates would have provided significantly greater insight into the problem and may have allowed the problem to be detected sooner," he added.

Symantec seems to be downplaying the threat of the fake certificates. "In September, we were alerted that a small number of test certificates for Symantec's internal use had been mis-issued. We immediately began publicly investigating our full test certificate history and found others, most of which were for non-existent and unregistered domains," it said in a statement.

"While there is no evidence that any harm was caused to any user or organisation, this type of product testing was not consistent with the policies and standards we are committed to uphold. We confirmed that these test certificates have all been revoked or have expired, and worked directly with the browser community to have them blacklisted."

Google is not pleased, as you can imagine. The company wants Symantec to conduct a further investigation to find how it failed to meet the basic requirements. Symantec must comply with Google's demands if it wants to be trusted by Google for certificates. In addition it also requires Symantec, beginning June 1, 2016, to log all certificates with Google's Certificate Transparency mechanism.

Google: Next Penguin Update Should Happen By End Of 2015

Google's new real-time Penguin algorithm, version 4.0, will likely be released by the end of this year.

We are all expecting the next Penguin update to happen soon, but now we know it will most likely be released within the next two months.

Gary Illyes, a Google Webmaster Trends Analyst, has posted on Twitter that he expects the release to be within 2015. Since only November and December remain in 2015, we have to assume this release will happen within the next two months.

We can also expect the next release to be the real-time version. That means that the algorithm will update continuously in real time. There won’t be specific release dates for the Penguin updates after Penguin 4.0 (which is the upcoming release). Instead, as Google detects spammy links on a site, it may be impacted by Penguin. At the same time, when those spammy links are removed and Google’s indexer picks up on that, the sites will no longer be impacted by Penguin.

As news comes out on Google’s Penguin update, we will let you know.

NTT Opens India's Largest Data Centre

NTT Opens India's Largest Data Center

Action is heating up in India with the world's top names like Oracle, Microsoft and Amazon queuing up to open data centres here. NTT Communications, the world's largest data centre company and a unit of the $112-billion Japanese giant, NTT, also has mega plans in the country. On Wednesday, the company, which entered India in 2012 with the acquisition of Netmagic, opened its ninth facility spread over 3 lakh sq ft, the largest in the country, entailing an investment of Rs 700 crore. Tetsuya Shoji, president & CEO, NTT Communications, talks to Christoph Kober & Reeba Zachariah about the Indian data centre scenario. Excerpts:
What are the factors driving the Indian data centre space? Data centres are an important part of infrastructure. Several sectors are spurring growth, for instance, e-commerce. Also, a new set of banks is coming to play while the existing ones are becoming more aware of disaster recovery, resulting in them approaching data centres.
What challenges do you see? Securing reliable access to electricity is the biggest challenge. Other than Mumbai, power supply is a challenge in Bangalore, Chennai, Delhi and Noida where we have our data centres. It is also an opportunity as people are unwilling to invest in fuel and generators to maintain their own data centres. And so, they are more likely to outsource the data centres to us.
Globally, NTT is No. 1 in data centres. How do you see yourself in India? It is important to be No. 1 but we are not pursuing only scale. We also consider quality to be important. We want customer satisfaction and we want to provide it at a price where we can make appropriate profits. Netmagic is the fastest growing company in India. We were No. 3 but today we are No. 2 - depends on how you judge. India is where we want to make strategic investments. The latest Mumbai facility is not the last. We plan to have three more data centres in the near future. Whether our growth strategy will be organic or through M&A is a matter of calculation and consideration.
The government has insisted on hosting data centres in the country as data sovereignty is a concern... Data sovereignty rules for some sectors are present almost everywhere in the world. In India, it is for some select sectors like banking wherein you have to host facilities within the country. In Indonesia, data centres for almost all sectors have to be within the boundary. One of the reasons why NTT recently made an acquisition there.

NTT has applied for a unified licence for national long-distance services in India. What are your plans?

The licence has been applied by a separate Indian subsidiary of NTT. We want to provide a range of network services. Netmagic will continue to be carrier-neutral while customers that will be part of the new licence will be large Japanese clients.

13.5 Million Passwords Hacked From 000Webhost

13.5 Million Passwords Hacked From 000Webhost

Quite literally, everyday someone gets hacked. Whether that's a telecommunications company having its customer data stolen, or another chain of businesses being ripped for all the credit cards it processes, today one hack just seems to melt into another. I mean, the day just isn't complete without a fresh leak of the personal info of ten or so million users.
It's gotten to the point where there are just so many hacks, that you may have become desensitized to the sheer amount of data that has been pilfered away from the servers of companies. One million user accounts here, 4 million hashed passwords there. The mundanity of everyday data breaches is taking its toll.
That's why we're launching this new format: Another Day, Another Hack. We'll do short posts giving you what you need to know about the hack, so you can figure out whether your bank account, website logins or anything else might be at risk. Because, even if the hack might not be the most sophisticated, and as new data breaches fight for your attention, real people are still getting fucked over somewhere, and should know about it.
So here's the first one in a series.
000Webhost is a Lithuania-based free hosting company. According to Forbes and Troy Hunt of security monitoring site haveibeenpwned.com, a database for 000Webhost containing over 13.5 million unencrypted usernames and passwords is on sale for $2,000.
Hunt and Forbes tested several of the leaked usernames to check if the leak was likely legitimate. But 000Webhost have since admitted to the breach, on the company's Facebook page.
“We have witnessed a database breach on our main server,” the post reads, and claims that the company was breached because of an outdated piece of software.
000Webhost apparently reset its customers’ passwords, but failed to inform them. The company did not respond to Forbes’ requests for comment.
Forbes pointed out its site didn't appear to take security all that seriously: the login page didn't use any encryption, and the site itself was running some pretty out-of-date software.

A Twitter tipster also alerted Motherboard that 000Webhost appears to be leaking the contents of customer support tickets.

The lesson: for 000Webhosting, it’s that encryption of customer data is a necessity, not a luxury.

Another day, another hack.

Oracle's software was hacked by interns in an hour, researcher says

Oracle's software was hacked by interns in an hour, researcher says

Oracle executive chairman Larry Ellison

Oracle, like all the rest of the big software makers, regularly patches many security holes found in its software.

Just this month, Oracle issued 154 new security patches for its software. 12 of those patches were for Oracle's E-Business Suite, its main financials app (the app that competes with rival SAP's main enterprise resource planning product).

Six of those 12 holes were found in about an hour by interns working at security researcher ERPScan Research, founder Alexander Polyakov tells Business Insider.

Some of the holes the interns found were very dangerous and could allowa clever attacker to gain a control of the apps, Polyakov says.

ERPScan Research set the interns on Oracle's software after Oracle Chief Security Officer Mary Ann Davidson got herself into hot water last August.

Davidson want on a rant in a now-deleted blog post about how she doesn't want Oracle's customers or outside security researchers to look for and report security bugs in Oracle's software products. She told the world that Oracle was more than capable of finding all the holes itself.

Oracle took down the blog post and spokespeople quickly distanced Oracle from Davidson's comments, saying they "didn't reflect" the company.

So maybe it's not big surprise that security is a big focus for the company right now.

On Tuesday afternoon, Oracle's executive chairman and CTO Larry Ellison will be giving details on his company's brand new plans to make Oracle's software more secure. He hinted that the new security tech could be built into Oracle's hardware, possibly inside the computer chip itself, and will be turned on by default, with no way to turn it off saying:

It's just a huge problem that most of the security features we give you, we give them to you and we tell you how to use them and we tell them how to turn them on and we train you. Wouldn't it be nicer if it was always on and always works and you didn't have to do anything?

THE ART OF CYBERWAR: SECURITY IN THE AGE OF INFORMATION

THE ART OF CYBERWAR: SECURITY IN THE AGE OF INFORMATION

Cybercrime is an increasingly serious issue both in the United States and globally; the estimated annual cost of global cybercrime has reached $100 billion. Almost 560 million people are victims of cybercrime yearly — more than 1.5 million victims a day.

The U.S. Director of National Intelligence has ranked cybercrime as the top security threat — higher than the threat of terrorism, espionage and weapons of mass destruction, according to a 2014 national report on cybercrime that surveyed businesses, law enforcement and government agencies. As FBI Director James B. Comey explained, “The United States faces real [cybersecurity] threats from criminals, terrorists, spies, and malicious cyber actors.” One of the primary reasons for the severity of threats is that cybersecurity professionals are being outgunned. “The cybersecurity programs of US organizations do not rival the persistence, tactical skills and technological prowess of their potential cyber adversaries,” the report said. 

What Is Cybercrime?

According to the Bureau of Justice Statistics, there are three general categories of cybercrime:

• A cyberattack is a crime in which the computer system is the target. Cyberattacks consist of computer viruses, denial of service (DDoS) attacks and electronic vandalism or sabotage.
• Cybertheft refers to a crime in which a computer is used to unlawfully acquire money or other items of value. Examples include embezzlement, fraud and theft of intellectual property or personal or financial data.
• Other computer security incidents include those made through theft of information. They are carried out with the help of adware, spyware, hacking, phishing, pinging, port scanning and more.

Notable Events in the United States

Major cyberattacks are becoming more and more common as hackers become more skilled. In recent years, several large-scale data hacks have occurred within major companies, including the following.

• Target: In December 2013, hackers gained access to customer credit and debit card information through Target’s website. The breach occurred long before it was detected, but Target was able to remove the malware that the hackers installed.
• Home Depot: A hack similar to Target’s occurred in September 2014 on Home Depot’s website, affecting almost 60 million customer credit cards.
• JPMorgan Chase: In August 2014, cyberattackers hacked into JPMorgan Chase’s information systems and compromised the accounts of 76 million households and 7 million small businesses. This security breach is among the largest ever recorded.
• Sony: Another highly publicized hack occurred when Sony Pictures Entertainment suffered a large-scale data breach in November 2014. The information stolen included personal employee data, internal emails, financial information, copies of unreleased films and more. The hackers in this case had a stated agenda: they demanded the cancellation of the release of the film The Interview, a comedy about an assassination plot against North Korean leader Kim Jong-un.

The Origins of Hacking

In the tech world, hacking is defined as “any technical effort to manipulate the normal behavior of network connections and connected systems.” Historically, the term “hacker” referred to clever, non-malicious technical work that was not necessarily related to computers. But while early hackers were enthusiasts who were primarily interested in modifying and optimizing programs for specific applications, malicious attacks became the norm as popularity grew. No longer satisfied with benign exploration of systems merely to learn how they worked, hackers began to use their skills for personal gain.

A Culture Divided

During the 1980s, a turning point occurred in the history of hacking, a direct result of the introduction of personal computers by companies such as IBM and Apple. Rather than working strictly within existing networks, hackers could now purchase computers for their own use. This meant that more and more individuals were learning to hack — and a larger number of active hackers created divides within the hacking community.

Before this division, essentially all hackers had dishonest motives: to illegally and unethically take control of both computers and networks. However, two distinct types of hackers emerged during the 1990s and still exist today. These “black hats” and “white hats” have very different views of how tech prowess should be put to use.

• Black-hat hackers, or malicious hackers, are criminals whose common job is to identify vulnerabilities in computer systems and manipulate them for gain. This is the classic definition of a hacker, as it identifies someone who purposefully seeks to commit theft or vandalize networks. Black-hat hackers are gifted but unethical computer experts who seek personal gain.
• Ethical hackers, or white hats, are one modern answer to malicious black hats. They may be employed by organizations to test computer systems and networks for vulnerabilities. These hackers use the same methods as black-hat hackers, but their goal is to fix computer security vulnerabilities and run tests to prevent malicious hacks from being carried out.

The Demand for Defense

Though ethical hackers are a source of additional help when it comes to identifying system vulnerabilities, trained cybersecurity professionals are more qualified to protect networks and create secure environments. They have an extensive number of methods available, such as firewall analyzers and portable anti-virus programs.

No matter how useful and high-tech these tools are, skilled security analysts are necessary if these tools are to be used effectively to protect companies. By 2017, the global cybersecurity market is expected to grow to a staggering $120.1 billion. In fact, the demand for cybersecurity experts is growing at 3.5 times the pace of the overall IT job market — and 12 times faster than the job market overall. In terms of salary, The Wall Street Journal states that engineers, analysts, architects and other types of trained cybersecurity professionals average $101,000 based on advertised information. This is well above the expected salary for IT professionals, which is $86,000, according to the Bureau of Labor Statistics.

Individuals interested in this career can consider pursuing an education in cybersecurity. To learn more about working in the cybersecurity field, follow #CyberAware and this week’s NCSAM materials, which focus on the future of the cyber workforce.

Indian Scientists Developed A New Algorithm To Prevent Cybercrime

Indian Scientists Developed A New Algorithm To Prevent Cybercrime

Indian researchers have developed a new keystroke algorithm that can use unique human typing patterns to make online authentication processes more secure, reliable and cheap.

The new method developed by researchers at the Department of Computer Science and Engineering, Jeppiaar Engineering College, Chennai, hopes to alleviate some of the common issues for internet users including loss of password, growing prowess of hackers, and easy access to methods such as phishing and usage of bots.

Like fingerprint scans, retina scans and facial recognition, keystroke dynamics are a biometric – they measure a unique human characteristic.

“As the typing pattern varies from person to person, this can be used as a suitable method for the authentication process more effective than others,” researchers J Visumathia and P Jesu Jayarin wrote in the Journal of Applied Security Research.

“The information needed for the process is using the various software systems already present in the computer, leading to a decrease in costs,” researchers said.

The new keystroke template algorithm combines measures from existing models to increase precision. To test their algorithm, the researchers built a programme that users could log into using passwords of varying length.

While entering their credentials, keystroke dynamics were recorded.

Results indicate that their algorithm was successful in decreasing login errors and making improper authentication very unlikely, thus advancing keystroke dynamics analysis as a viable e-security measure.

This method is especially appealing for its relative ease of implementation, as the information needed to evaluate human typing patterns is already present in computers, researchers said.

The researchers call for additional testing before the new algorithm can be used as a security measure.

“We concluded from the results presented that keystroke dynamics analysis holds big potential as an authentication method, but the methods used in the process have to be improved before it can be used as an independent security measure,” researchers said.

Facebook Has A New Update: It’s Time To Change Your Privacy Settings

Facebook Has A New Update: It’s Time To Change Your Privacy Settings

If you’re a Facebook user, it’s time to look into your privacy settings with the new update for Facebook Search. Facebook recently announced a major update to their search feature, bringing it up on the competition with Google and Twitter. “Today, we’re updating Facebook Search so that in addition to friends and family, you can find out what the world is saying about topics that matter to you,” as mentioned on Facebook blog.

From Now on, in the search box, Facebook will offer personalized suggestions you might be interested in. “As you type, we’ll highlight things that are happening right now so you can follow popular stories as they unfold,” Tom Stocky, Facebook’s VP of Search wrote.

Besides your friend’s post, your search engine can returns results across all the users of public Facebook posts which are relevant. “Search results are organized to help you cut through the noise and quickly understand what the world is saying about a topic in the moment,” Stocky added.
Facebook makes it easier to make trending news accessible in real time. With one tap, you can see public posts and all relevant trending posts about it. Facebook hopes to improve it over time with user feedback as it is seen as the first step.

The tool is optimized to make Facebook posts relevant and widely sharable by media outlets, from CNN to Reddit, when they are at the heart of an unfolding viral moment. Theoretically, in a way it is like following a story as it unfolds in the heat of the moment as it is done on Twitter.

You might ask, “What does this new Facebook update mean to me?”

Here is the critical part – any public status or update can now be searchable worldwide, in real time with roughly any effort on behalf of the user.
Martin Stoehr, a Facebook user updated his status regarding the same. A search was made by us using ‘Search FYI’ and we found his quote in real time, “Last Year, Facebook helpfully introduced a feature that made individual posts searchable, rather than just people and brands. At the time search was limited to friends. Now, it includes all public posts, including yours, making this an excellent time for a Facebook privacy refresher.”

As a Facebook user, If you do not want your status updates (past, present, or future) to be easily searched and view-able by anyone in the world, now would be an excellent time to update your privacy settings; Please make sure your posts do not have the tiny “globe” icon next to it so that they are not set to ‘Public’ There is a setting you can change in Facebook to ensure that every post you made publicly in the past is changed to ‘Friends Only’ .

Your Self-Encrypting Hard Drive May Use Encryption That Really Sucks

Your Self-Encrypting Hard Drive May Use Encryption That Really Sucks

Self-encrypting hard drives are a bright idea, allowing you to back up data safe in the knowledge that nobody else can sift through it. Unless, that is, the encryption system is easy to crack - which a new security study had found can be the case.

Motherboard reports that a study sent to the Full Disclosure email list - where researchers post security findings when a company doesn't seem to care - suggests that Western Digital's range of My Passport hard drives suffer such a problem. While they're purported to encrypt data stored upon them, it seems that cracking the encryption scheme is actually trivial.

The weakness results from the way the encryption key is generated. Firstly, it uses a simple C command called rand() to generate a random number for use in the encryption scheme. But that command actually produces numbers that are known to not be random enough for use in encryption.

Second, that random number is seeded using a number that is simply the time of creation written out in 32-bit format. Given the time at which the key is generated will definitely have happened between the time of manufacture of the drive and now, that means only a limited number of times have to be tried before the correct key is obtained. In turn, that makes it possible to crack the scheme reactively quickly on a normal desktop PC.

Sadly, that's the best case. In the worst case, the researchers found that, on some of the My Passport drives, the encryption key required to access the drive is actually stored on the drive. In plain text.

The researchers have contacted Western Digital, but aren't aware of the company taking any action to solve the problem. Until they do, any My Passport drives are best considered to be unencrypted.

Internet Businesses To Fuel Need For Cyber Security Professionals

Internet Businesses To Fuel Need For Cyber Security Professionals

With increasing complexity of the security threat landscape, demand is increasing for IT professionals specialising in cyber security 

There is almost nothing that you can’t order online these days. Clothes, book, accessories, food, medicines and cabs -- everything is available at the tap of a finger. But recent incidents of hacking of several internet startups have again brought the focus on cyber security. 

In fact, a cyber security report recently released by ISACA, the global IT association that took insights from more than 660 cyber security professionals, revealed that many organisations are leaving the door open to an advanced persistent threat (APT) attack. 

The study found that 
•  More than one in four (28%) companies has experienced an APT attack.
•  Social engineering remains at the centre of APT’s efforts to gain foothold into companies’ information systems. 
•  Early attempts began with phishing, evolved to spear phishing and moved to whaling, which often included an attachment or a link that contained malware or an exploit. 
•  APTs have moved in the past three years on to the internet as the main attack vector,leveraging  websites, social media and mobile apps. 

This evolving cyber security landscape is in fact creating a consistent demand for quality cyber security professionals who can tackle such threats effectively. 

“Advanced persistent threats have become the norm. Many major breaches are connected to APT tools and methodologies. As a result, it is more critical than ever for cyber security leaders and professionals to have a thorough understanding of these threats, and to be prepared to quickly and effectively respond,” said Christos Dimitriadis, international president, ISACA. 
 According to TechGig.com data, the demand for cyber security professionals is not only within security software vendors but also within industries such as telecom and BFSI, where data is extremely critical, and now slowly within the e-commerce industry. 
We did a drill down to analyse the kind of skills the industry is looking out for in cyber security professionals. Here is a snapshot: 

•  Knowledge and strong domain expertise and technology  implementation and integration,experience in identity and access  management, end point security,security incident and event  management, data protection, encryption and key management  
•  Knowledge of applicable industry standards, leading security practices  and regulatory  requirements 
•  Knowledge and practical understanding of security fundamentals and  general security  technologies
•  Ability to develop solution architectures and blue prints based on  business, technology and  security objectives 
•  Calibre to architect enterprise-level security solutions and drive    technical design and  implementation 
•  Operate as a technical subject matter expert and advise project teams   regarding integration with multiple cyber security technologies

Though industries are not looking at hiring large number of cyber security professionals, demand is high for quality talent with proven skills in internet security domain. 

As per Cyber Crime Defence data, the maximum demand is for middle-level professionals who have between 2 and 5 years of experience. 

With cyber threats getting more and more complex, going forward the need for cyber security professionals is only going to increase. If you are an IT professional who is just kick-starting your career, cyber security is one thing which you must explore. 

If definitely holds a lot of promise as a career if your passion coincides with what the job role demands.  

Croatia is HACKED? ATMs, DSL, POS Terminals are DOWN!

Croatia is HACKED? ATMs, DSL, POS Terminals are DOWN!

Some ATMs and POS terminals are also down.

Croatia’s largest phone operator Hrvatski Telekom (Croatian Telecom) has been experiencing major difficulties so users across the country are having trouble with their fixed and mobile lines as well as Internet connections. But that’s not where the problem ends.

Some people think that Croatia is not the only affected, we received reports from people in Bosnia and Herzegovina.

Because of this technical problem, many ATMs are also not in service, the Zagreb Stock Exchange has postoponed its trading and many stores are not excepting cards of any kind because their POS systems are not working. Even though HT stated that the problem will be fixed by 10:30, an hour ago they posted a message on their Facebook wall stating that they’re doing everything they can to normalize the situation.

In the meantime, @KuNaNetw0rk claims on Twitter that hackers are responsible for this “meltdown” or a DDoS attack to be more exact and he’s stating that BNet and Vipnet will be next.