ICYMI: Black Hat news, biggest breach ever & figures to take to the CEO
ICYMI: Black Hat news, biggest breach ever & figures to take to the CEO

BlackHat news

The Black Hat conference took place in Las Vegas this week, and there were several excellent speakers and sessions.

Some of the biggest news came before the show; two researchers from Carnegie Mellon University cancelled their talk on Tor vulnerabilities after encountering legal issues – and reportedly pressure from NSA (the duo are subsequently facing questions on a recent Tor Project attack), while a BAE talk on the Snake APT was pulled, only for Kaspersky to come out with new research on the subject days later.

There was, however, plenty of news to come out of the show. In-Q-Tel CISO Dan Greer urged the US government to buy up zero-days (see SC US for more coverage), and concerns were raised on airplane, car and mobile security. Presentations followed on compromising USBs and how one was able to remotely control basic amenities in a luxury hotel.

Yahoo CISO said that the firm would support end-to-end encryption in the week that Google said it would index websites higher with HTTPS, and Bruce Schneier talked up the need for incident response.

SCMagazine.com online editor Marcos Colon reported from the event and said that there was a lot of discussion around POS systems and the Internet of Things, as well as privacy – with McAffee founder John McAfee criticising Facebook and Google in this regard at BSides.

All of this clearly resulted in numerous headlines, leading some experts on Twitter to calm the fears: “[Attention] non-infosec journalists, Black Hat is currently on. The sky is not, I repeat not, falling down,” wrote security commentator Quentyn Taylor.

Biggest breach ever but was vendor in the wrong?

The headline story of this week was arguably the news that Russian hackers in the group ‘CyberVor' had gathered some 4.5 billion records, including 1.2 billion usernames and passwords, by compromising over 400,000 websites.

Very little information has been released since, and some in the field believe it may not even be entirely true, but US-based Hold Security – which discovered the breach – has come in for considerable criticism as it was proposing charging approximately £70 for companies to find out if they had been compromised.

The firm has defended itself saying that it was simply recouping revenues, although its intentions come into question in a week where FireEye and Fox-IT  teamed up to offer a free portal for CryptoLocker victims to get their files back unencrypted.

Google and Microsoft out paedophiles

There have been calls in recent times for private companies to help police investigators bring cyber-criminals to justice. Most notably, NCCU head Andy Archibald told members of the press last month that more needed to be done to get private companies on-side in their investigations.

The subsequent take-down of Shylock involved security companies, and the likes of Kaspersky and Symantec have huge R&D teams to reveal new threats.

But Google and Microsoft made the news this week after both passed on details about its users to law enforcement, to result in the arrest of two US-men looking at/uploading paedophilia images.

Google tipped off the National Center for Missing and Exploited Children after it found that a 41 year-old had searched for images of young children, while the BBC later reported that a man in Pennsylvania man allegedly uploaded child pornography to Microsoft's OneDrive cloud storage.

Both Google and Microsoft didn't go to law enforcement, and used the PhotoDNA technology to identify the users.

Google told reporters that it only currently scans for child pornography.

Show this to your CEO

A lot continues to be written about how information security is missing from the boardroom top table. Just this week, we've been writing a feature for our forthcoming magazine on exactly who the CISO should report to.

The consensus seems to be that CISOs must speak the language of money, which should be an easy target for the new CISO of Target; the US big-box retailer this week reported that the data breach late last year, in which 40 million customer records were compromised, could cost the firm as much as US$ 148 million (£88 million).