ICYMI: Freak flaws, 'smart' city questions and UK data breaches

This week's In Case You Missed It column looks at the top five articles on SC this week, including new Facebook flaws, 'Freak' attacks and the trade-offs with 'smart' cities.

ICYMI: Freak flaws, 'smart' city questions and UK data breaches
ICYMI: Freak flaws, 'smart' city questions and UK data breaches

Facebook Login hijacking tool offered to black hat hackers

Penetration testing company Sakurity openly named and blamed Facebook for a security vulnerability that it says exists on websites with a Facebook login option.

In a direct call to black hat hackers, Sakurity has created RECONNECT as a ready to use tool to hijack accounts on websites including Booking.com, Bit.ly, About.me, Stumbleupon, Angel.co, Mashable.com, Vimeo and many others.

“Feel free to copy and modify [the RECONNECT] source code,” says Sakurity founder Egor Homakov. “Facebook refused to fix this issue one year ago, unfortunately it's time to take it to the next level and give black hats this simple tool.”

Facebook denies that it has refused to fix the issue, emphasising that it evaluates the trade-offs entailed in making changes.

BlackBerry turns sour over Freak vulnerability

Embattled handheld maker BlackBerry is the latest firm to warn users that its products are vulnerable to Open SSL/TLS Freak attacks. BlackBerry itself confirms that a large number of the firm's device operating systems and the BlackBerry Messenger service are affected by the flaw.

BlackBerry's recent improvement in technology markets has been in part down to the success of the firm's BlackBerry Enterprise Server (BES) middleware intelligence software. This product is also affected, although an attacker would have to compromise a user or team's intranet to launch an attack.

The OpenSSL factoring attack on RSA-EXPORT Keys is a vulnerability in the OpenSSL implementation included with affected BlackBerry products.

The Freak bug surfaced in March 2015 and affects the HTTPS security protocol used widely across the web for locking down pages such as online banking and ecommerce. The weaknesses exploited by Freak can lead to so-called man-in-the-middle (MiTM) attacks where attackers become capable of listening into the network traffic data being exchanged between a user and a destination web server.

Microsoft, Android and iOS devices are also affected – although patches and fixes have been issued.

Dirty Facebook worm cuts itself in half to evade detection

Facebook distributing malware is nothing new, nor are shortened URLs for obfuscation, in-the-cloud servers for anonymity or porn as a lure. However the latest Kilim-family variant which has hit Facebook uses all of them and with a twist: this worm keeps cutting itself in half to evade detection.

Jerome Segura, security researcher at Malwarebytes, spotted the worm using Facebook with a lure of what appeared to be a link to a pornographic video which, unsurprisingly, actually links to a malicious executable instead. If clicked, this kicks off the social media infection process by leveraging that user's contacts who see a message posted by the victim promising some very dubious pornographic photos. This is where the link-chopping starts with the URL being obfuscated by the use of the ow.ly URL shortening service.

That in itself is not newsworthy, however the multi-layer redirection architecture which uses ow.ly in conjunction with multiple cloud platforms (Amazon Web Services and Box.com) is.

Click on the shortened link and it immediately redirects to another shortened link which, in turn, redirects to an AWS page in the cloud which passes the user request onto a malicious site. This site then redirects the user to a link on Box.com which initiates a download prompt. Download that file and run it and the user is infected, in effect becoming a bot which spreads the original ow.ly link to their social circle on Facebook.

Bristol launches 'smart' city amid privacy doubts

Bristol has launched a 'smart cities' project that will see a software-defined network facilitate machine-to-machine learning for a future of driverless cars, assisted living and real-time healthcare. But where does that leave citizens' privacy?

The ‘Bristol is Open' project is a joint venture between University of Bristol and Bristol City Council, with £5.3 million in funding from the government's Department for Culture Media and Sport. Essentially, it is a city-wide intelligence scheme encompassing a huge fibre optic, wireless and mesh network powered by a high-performance software defined network (SDN).

This SDN – known as the City Operating System - connects to the University's Blue Crystal high-performance computer and also integrates Silver Spring Networks' standard-based IPv6 wireless network (IoT), which will connect to smart city sensors such as intelligent street lighting, weather and parking sensors.

SCMagazineUK.com attended the launch event on Tuesday where university and city officials spoke with great enthusiasm about the benefits, such as easing congestion, trialling driverless cars, monitoring electricity use and helping disadvantaged people with housing.  But questions were also asked on whose data is it anyway, and what should be shared.

UK firms horribly unprepared for data breach response

Two new studies reveal that despite a third of UK businesses suffering a breach in the last year, most organisations severely overestimate their readiness to respond to an incident.

On Tuesday, BlueCoat and Experian released independent reports which painted a bleak picture of UK firms' information security practises, finding in particular that companies didn't have appropriate incident response plans, or carry out appropriate risk and security assessments.

SC Webcasts UK

Sign up to our newsletters

FOLLOW US