ICYMI: AOL data breach, fighting cybercrime, Target CISO and Windows XP
ICYMI: AOL data breach, fighting cybercrime, Target CISO and Windows XP

AOL: Hackers stole data

It's been a horrible couple of weeks for AOL. One week after the integrity of their servers was questioned; the internet provider started sending out warnings to users advising them that their personal information had been stolen by hackers.

On Monday, the net giant said that the same hackers responsible for the deluge of spam last week had gained access to its servers and stolen information, including email addresses, contact lists and home mailing addresses. Encrypted passwords and security question-answer passwords – a back-up authentication method – had also been swiped.

AOL (via The Register) says that the breach affected around two percent of AOL's customer email accounts.

The news is the latest sign that – as various vendors promoted during the Infosecurity show – ‘it's not if but when' as far as data breaches are concerned.

And yet the lack of government action – coupled with the paltry fines for data breaches – makes it a worrying time.

In fact, a freedom of information act (FOI) submitted by ViaSat this week showed that while the number of data breaches reported to the Information Commissioner's Office (ICO) had increased in the last year, the penalties issued by the data protection watchdog had more than halved.

Some will say that this is all the more reason for the EU Data Protection Regulation to come into effect, although the ICO deputy commissioner David Smith predicted that it may not come into effect until 2017.

Fortunately – for American citizens at least – the US is trying to forge ahead in this area. The BBC reports that a White House Panel has called on Congress to bring in a US national standard for notifying consumers when their data has been hacked.

There are several data breach state laws at present, but no overall Federal law, which the panel would look to rectify.

Law enforcement wants to collaborate on cyber-crime

The message is coming loud and clear from police and law enforcement agencies – prosecuting cyber-criminals is tough, especially when they so often carry out their work across numerous countries and jurisdictions.

French and British government agencies have previously complained about this, and Troels Oerting – head of EC3– followed suit at Infosecurity Europe.

“The problem is that criminal groups are using the same tools [as the investigators]. You can't see the attack, don't know the motive...you need to do some homework.”

He added: “Not even NSA can infiltrate the darknet; cyber-criminals are utilising Bitcoin and the darknet, it makes it even more difficult for us to follow the money.”

The FBI's Michael J Driscoll and the National Cyber Crime Unit's deputy head Lee Miles also mulled cyber-crime collaboration at the event, according to CBR

"In 18 years, I've never seen a threat that requires greater involvement by the public than cyber issues,” said Driscoll. 

"I can't get out and conduct cyber investigations until you open the door for us. Folks out there in the information security world are the frontline in helping us identity the threat and eliminate it. We are at the whims of internet service providers to open the door for us." 

Miles added that international help is "essential" when dealing with cybercrime, saying: "We cannot do this without international assistance....often we don't stand a hope of prosecuting".

Should Target's first CISO report to the CIO?

US retailer Target this week appointed a chief information security officer (CISO) for the first time.

Bob DeRodes was former senior information technology adviser for the US Department of Homeland Security, Secretary of Defense, and the Justice Department, and will take up his new position on May 5.

Beth James, Target's outgoing CIO, resigned after the data breach late last year, which affected some 70 million customers (including 12 million with credit cards, according to the company's own figures), and some were surprise that a) she took the blame and b) that Target didn't have a CISO.

Target looks to have rectified this now although some will continue to debate the CISO's role, and specifically where he/she should report.

Some commentators told SCMagazineUK.com recently that an overall CISO should control information security, while SANS fellow Dr Eric Cole – former CSO at Lockheed Martin and CTO at McAfee - sat down with SC in London this week to stress that the CISO should sit on a par with the CIO.

Windows XP saved again

This week was a significant landmark in the timeline of Microsoft's Windows XP, which went end-of-life at April 8.

The Redmond software giant revealed that a remote code execution vulnerability affects versions on Internet Explorer 6 to 11 – with these running on all versions of Windows from Vista to 8 and Windows Server 2003 to 2012 R2.

The flaw allows hackers to access memory data on a user's computer – or even install and delete programmes if they have administrative rights – and will remain unpatched on windows XP. 

Microsoft has now rolled out a patch for current systems and - crucially - fixed the zero-day for XP too. The zero-day on XP was apparently being exploited by Chinese cyber-criminals targeting EU-based organisations, showing that hackers may well have been saving up exploits for a 'wild west' assault on the 12-year-old OS.