»Ongoing leaks from former CIA contractor Edward Snowden continue to damage the reputation of GCHQ, with recent documents alleging that the UK surveillance body harvested some 1.8 million sexually explicit webcam images from Yahoo, and that it also hacked into German satellite and communications companies
»In somewhat brighter news, last month GCHQ announced that it is now working with universities to launch GCHQ-accredited postgraduate degrees, a move which will hope-fully reduce the cyber security skills gap.
»A research team at the University of Liverpool has created an aggressive proof-of-concept piece of malware which is designed to propagate via WiFi and use multiple attack vectors to infect any computer system it encounters. Known as Chameleon, the malware has been designed to rotate through multiple known structural weaknesses in wireless access points and systems, while avoiding detection using multiple methodologies. The malware has no payload, but tests carried out in Belfast and London prove that it is successful in propagating itself across various networks.
»The UK's first national computer emergency response team has finally launched, some 15 months after it was first unveiled as part of the government's £650 million cyber security strategy. CERT-UK is headed up by Chris Gibson, the former director of e-Crime at Citigroup and global chair of the International Forum of Incident Response and Security Teams (First). The group will be tasked with liaising with UK businesses and other national CERTS – including those in financial services and education – on cyber security issues, particularly those relating to national infrastructure. The UK government's Cyber Security Information Sharing Partnership (CISP) has been integrated as part of the group.
»Basecamp, the web-based online collaboration and project management service, was hit by a huge DDoS attack where cyber-criminals asked for a ransom to stop the attack. The attack came shortly after a report from NSFocus Information Technology revealed that there are now almost 278 DDoS attacks taking place every hour against major companies around the world.
»A study from Turnkey Consulting has shown that there continues to be a disconnect between IT teams and the boardroom, with one in six security professionals believing that their organisation sees security as an “unnecessary expense only undertaken to keep auditors happy.” Only a third (37.5 percent) of organisations view security as an “essential business practice that can deliver ROI” and this was down from 43.9 percent the year before. Richard Hunt, managing director of Turnkey Consulting, said: “It is concerning to see that IT security is still not perceived to be an integral part of the business.”
»Microsoft has finally ended support for Windows XP. The end-of-life has brought concerns that hackers may be storing up zero-day exploits for a ‘wild west' attack on companies still running the OS. Some public sector organisations have, however, negotiated deals with Microsoft to continue support. The Cabinet Office signed a £5.5 million deal with the software giant to keep receiving XP security updates for the next 12 months, and others are expected to follow suit. Some anti-malware vendors continued to offer security support.
»The Metropolitan Police has admitted that it's still coming to terms with cyber security, both in capturing cyber-criminals and on bringing them to justice. Speaking at the first SC Congress London, Mark Jackson – detective superintendent of the recently-established Met Police Cyber Crime Unit (which replaced the Police Central e-Crime Unit) said that his group was still looking to recruit the right people – with a mix of detective and cyber skills – and finding out how to work with other law enforcement agencies, such as the National Crime Agency and National Cyber Crime Unit. He said that cyber crime cost the UK economy £81 billion in 2013, up from £27 billion in 2011. “Online is the high street that hasn't been policed,” he said. “Law and legislation hasn't caught up with this type of crime. Why go into the bank with a shotgun when [criminals] can do it online from home. If they're really unlucky and get caught, they go to prison for a short amount of time.”
»The ‘Heartbleed' bug (CVE-2014-0160) revealed Finnish security firm Codenomicon and Google compromises the OpenSSL security system used to protect many of the world's websites. It is described as a “potentially disastrous” security flaw that allows hackers to steal data from millions of websites worldwide. The bug lets attackers steal website encryption keys which allow them to impersonate the administrators and steal any past and future traffic passing through the site without leaving a trace, and so capture “anything worth encrypting”, including user passwords and financial details. OpenSSL is used in Apache and nginx web servers which host more than 500 million websites though it is unclear how many use the affected software versions.
»Earlier this year content delivery network CloudFlare reported that one its clients, whose name was not disclosed, was hit by one of the biggest distributed denial of service (DDoS) attacks ever seen on European networks. CloudFlare said that the attack was close to 400Gbps, making it bigger than last year's DDoS attack against anti-spam outfit Spamhaus, which was measured at just over 300Gbps. French hosting outfit OVH later reported that it had fended off a 350Gbps attack. It's not known if the same attacker was responsible. A reflection technique appears to have been used to magnify the attacker's capabilities, leveraging network time protocol (NTP, UDP 123) in this case.
»The Department for Business, Innovation and Skills (BIS) has launched the Cyber Essentials Scheme, as part of the Government's Cyber Security Strategy. The Cyber Essentials scheme will enable an independent assessment of the essential security controls that organisations should have in place to have a level of confidence that they are mitigating risks from internet-based threats. The assessment framework for the Cyber Essentials Scheme is now available for external consultation.