ICYMI: Praise for Operation Tovar, Vodafone transparency & Open SSL problems
ICYMI: Praise for Operation Tovar, Vodafone transparency & Open SSL problems

Operation Tovar: Big win for cybercrime investigators

This week's Operation Tovar saw investigators from the FBI, the UK National Crime Agency, Europol – as well as various security vendors (Crowdstrike, Dell SecureWorks, McAfee, Symantec, Trend Micro) and universities (VU University Amsterdam and Saarland University)  - come together to disrupt the command and control (C&C)  infrastructure behind the nasty Gameover Zeus and CryptoLocker botnets, said to have infected more than 350,000 PCs around the globe.

The global crackdown resulted in the arrest of alleged perpetrator Evgeniy Bogachev.

While there has been a degree of misinformation – or even hyperbole - on the advisory that end-users patch their PCs within two weeks as cyber-criminals reinstate their C&C, this is good news in the global fight on cyber-crime.

Speaking at an event in central London earlier this week – where SCMagazineUK.com was in attendance – Paul Gillen, head of operations for the European Cybercrime Centre (EC3) of Europol, called the collaboration  ‘inspiring' and a sign of things to come, which is good given the concern about the international partnership earlier this year.

Vodafone transparency applauded

Internet service providers (ISPs) have long held close relationships with governments but that relationship has come under close scrutiny in the wake of Edward Snowden's leaks on NSA and GCHQ surveillance. Indeed, the revelations revealed that US telcos AT&T, Verizon and Sprint had provided the NSA with customer telephone records.

But yesterday there was evidence that the telcos are turning against unauthorised surveillance.

Vodafone released its first ever Law Enforcement Disclosure Report on how many government warrant applications it receives - and it cited 29 countries, detailing how six countries have direct links to customer phone calls and web communications.

Shami Chakrabarti, director of human rights organisation Liberty, expressed her concerns about the findings, saying: "For governments to access phone calls at the flick of a switch is unprecedented and terrifying."

Speaking to SCMagazineUK.com, F-Secure researcher Sean Sullivan applauded the move and said that the most transparent telcos will end up ‘winning'. He added that it would be easy for companies with few requests to submit their transparency requests, but harder for those – like BT – with close-government ties.

“…It's a very promising trend for companies that haven't got many requests, but other larger telcos are going to follow and it's going to be more difficult to move forward.”

More troubles for OpenSSL

Two months on from the discovery (and subsequent patching) of the Heartbleed vulnerability, researchers have found six vulnerabilities associated with the Open SSL web encryption standard.

The latest vulnerabilities can be exploited to decrypt and modify SSL and TLS traffic between clients and servers using OpenSSL, essentially allowing hackers to intercept data between PCs and web servers via Man-in-the-Middle (MiTM) attacks. They could even trick the user into sending more sensitive data like usernames and passwords. Writing on Forbes newswire, Sophos director of technology strategy James Lyne says that hackers could carry out a denial-of-service attack, or remote code execution.

Lyne suggests that talk of this having a wider spread than Heartbleed seems far-fetched but it is nonetheless the latest sign of the fragile security on the web.

Data breaches: Who's to blame?

One of the key takeaways from the second SC Congress London this week was that, when it comes to data breaches, both the CEO and CISO need to take share the accountability.

Forrester information security analyst Andrew Rose said: “It's shared accountability, although I think ultimately it comes back to the CEO funding cyber security properly - I think the Target CEO understands that now.”

He added that CISOs ‘must be asking the right questions' in order to get their hands on sufficient budget, and said that they should ensure that the right structure is in place for things like training.