Microsoft Adopts Linux for IoT Security

For the first time Microsoft has announced that it will make Linux available instead of Windows as the operating system for microprocessors  which access its Azure Sphere cloud security service.

Read more...


14 Year Old Hacker Charged Over FruitFly Malware

A 28-year-old Ohio man has been named by federal prosecutors as the alleged author of a decade-old Mac malware, which he is accused of using to remotely spy on thousands of unsuspecting victims.

The malware, named FruitFly, is a highly-invasive Perl-based malware that can allow the controller to secretly take complete control of an infected computer - including recording from the webcam and microphone, viewing what's on the screen, controlling the keyboard and mouse, and remotely downloading files.

Full Story...

Uber Admits to Concealing Data Breach

According to a report published by Bloomberg on 22nd November, the ride-share giant Uber has admitted that former executives had concealed, for more than a year, a data-breach which compromised information of 50 million customers. The hack, which occurred in October 2016, compromised a GitHub repository which contained names and contact details of 50 million customers worldwide as well as 7 million drivers. Rather than notify affected parties of the breach the company decided instead to pay a ransom to the hackers to delete the affected information and keep quiet.

This story is disturbing on many levels.

Transparency is essential if consumers and business are to maintain trust in cloud computing and eCommerce. Instances of data breach should be notified to all affected parties as soon as they become known so that they can take any remedial action that they believe is appropriate.

The fact that executives of a major global corporation, including its former Chief Security Officer and former Chief Executive chose to pay a major ransom to hackers instead of disclosing the breach raises serious questions about the culture of the organisation and the moral compass of the individuals involved. The company and its executives have exposed themselves to civil litigation from affected parties as well as the possibility of criminal sanction.

Beyond this, the mere fact that the company hosted live customer and partner data on a GitHub repository indicates gross carelessness in the company's software development and testing processes. Developers can easily create simulated data for testing purposes and under no circumstances should be storing live customer or partner data on repositories outside their control.

It is also disturbing whenever hackers are rewarded financially for executing this type of criminal activity. This applies not only to payment of ransom in cases of data beach, but payment of ransom for hijacking of computers with ransomware, which is on the increase.

It is a good sign that Uber, under new management, has finally come-clean and accepted responsibility for its previous actions. But this might be too little too late given the fact that security remains one of the major impediments to wider adoption of cloud computing by business. We can hope that the current class-action law suit being staged against Uber in relation to this matter will provide sufficient disincentive for other companies to follow suit. 

1.4 Billion Passwords Circulating on Dark Web

A new collection of 1.4 billion usernames and passwords has been discovered, circulating on the dark web. According to researchers, the collection is believed to be an amalgamation of usernames and passwords from previous hacks as well as information from new breaches.

The ease of accessibility and use of the collection represents a major security risk because many individuals use the same username and password across multiple websites. So hackers can take a username-password combination that was stolen from one website and attempt to use it for accessing services on other websites. Unless users change their credentials regularly or always have different credentials for the websites they visit, the existence of this collection will likely lead to further data theft, possibly undetected. "None of the passwords are encrypted, and what's scary is that we've tested a subset of these passwords and most of the have been verified to be true" researchers said.

The collection is believed to include credentials that were collected during previous hacks of Bitcoin, Pastebin, LinkedIn, MySpace, Netflix, YouPorn, Last.FM, Zoosk, Badoo, RedBox, games like Minecraft and Runescape, and credential lists like Anti Public, Exploit.in. So it is likely that the collection will provide fertile ground for hackers wishing to exploit the credentials on other websites.

Read more...

 

​Cybersecurity as big a challenge as counterterrorism, says spy chief

Defending against cyberattacks is as big a challenge for the UK as protecting against terrorism, according to the director of GCHQ.

"If GCHQ is to continue to help keep the country safe, then protecting the digital homeland -- keeping our citizens safe and free online -- must become and remain as much part of our mission as our global intelligence reach and our round-the-clock efforts against terrorism," Jeremy Fleming, the director of GCHQ, wrote in an article for the Telegraph.

While the UK government surveillance service is best known for gathering intelligence on criminals, terrorists, and foreign states, it also has a cybersecurity arm: the National Cyber Security Centre (NCSC). Recently the NCSC said 1,131 cyber incidents had been reported to it in the past year.

Fleming said that the agency is investing in security "to make GCHQ a cyber organisation, as well as an intelligence and counter-terrorism one." But he said balancing the security role with GCHQ's more traditional spy role was difficult: "All of this can feel deeply challenging for a GCHQ that by necessity has worked in the shadows," he admitted

Full article...