Oracle publish then delete blog whining about bug finders
We’re well in the age of the ‘bug bounty’, where companies have cottoned on to the fact that it’s safer to pay those who discover security flaws in their products, than risk them being published and exploited. Well, apparently Oracle’s CSO begs to differ, as exposed in a ranting corporate blog post about how reverse engineering is against their EULA and they’d rather you didn’t look for any bugs, because they can fix them themselves thank-you-very-much.
The post was so out of kilter with the usual corporate blog posts that many people on social media thought the website had been the victim of a hack and that the post was a parody. However, once the post was removed, Oracle’s official statement on the matter actually confirmed that this was not a ruse and that the post had been removed as it did not ‘reflect our beliefs or our relationship with our customers’. The whole saga will likely backfire by encouraging a flurry of bug discoveries and further negative PR.
Wassenaar arrangement to be rewritten prior to implementation
Unsurprisingly, the outcome of the Wassenaar implementation comment period was that over 300 technology companies raised issues and objections to the proposed arrangement. The main objection was that, as written, the arrangement would seriously stifle security research due to complex, unclear language, disclosure requirements to the U.S. government and higher costs associated with doing so.
The aim of the arrangement is to crack down on intrusion software, an ever-increasing threat to cyber security but criticism came due to the huge impact this would have on the security industry. Stringent export controls would make the sharing of research and licensing of products far too and it was felt that the proposal lacked full understanding of the impact the proposed arrangement would have.
Fortunately, feedback is being taken into consideration and we can expect a revised version of the proposal within the next few months.
Jeep owners hit back with a lawsuit against Chrysler and Harman
A few weeks back, we covered the fact that researchers Chris Valasek and Charlie Miller had successfully hacked a Jeep’s computer remotely, while it was on the road, with a Wired journalist at the wheel. This made big news, with it being disclosed that a security flaw in the cellular-connected computer was to blame. This story went viral on social media and was soon followed by a 1.4 million vehicle recall. Now, almost inevitably, a class-action lawsuit has also been filed by several vehicle owners.
The plaintiffs are accusing Chrysler and Harman of fraud, negligence, unjust enrichment and breach of warranty owing to the fact that they were informed about the problem in early 2014. The problem lies in the connection between the vehicle’s internet-enabled entertainment system and its CAN bus, the network which controls vital functions such as steering and brakes. This basically means that if the entertainment system is hacked, which can be done remotely, the steering and brakes can also be compromised. The plaintiff’s lawyer claims the purpose of the action is to force Chrysler and Harman to carry out a full recall to address the issue rather than simply patching it.
Other car companies were served with similar suits earlier in the year and for similar reasons but Jeep have been the unlucky party in terms of media coverage and now face intense scrutiny over the steps they take next.
Breach of United Airlines by China-linked hackers confirmed
It’s emerged that the group of hackers, who are believed to have ties with China and who successfully breached millions of insurance records in recent months, had also successfully hacked United Airlines.
The breach was detected in May or Early June but the attack is only now being confirmed, with fingers pointing at the same group of hackers who breach Anthem Insurance earlier in the year. United Airlines are the second largest airline in the world and the data stolen is believed to include flight manifests, which include information on passengers including their origins and destinations.
While this alone is not the most alarming of data breaches, combine it with data stolen from the federal personnel office and insurance companies and this could give malicious parties some dangerous intelligence. By collating data on desirable individuals (i.e those with security clearance), such entities could choose to blackmail or recruit them for spying purposes.
Apart from this, it could also allow them to track certain high-profile individuals in order to carry out targeted attacks or identify American spies.
Russian hacker allegedly responsible for Australian financial market manipulation
Retail shareholder accounts are confirmed to have been breached and used to manipulate share prices, in a suspected case of money laundering. Over $77,000 has been seized and accounts frozen following the discovery of suspicious trades made late last year through Commsec, E Trade and Australian Investment Exchange.
The suspect collected on the profits of falsely-inflated share prices using a Morgan Stanley account and investigators claim the attack is of Russian origin. Few other details are being released but affected customers have reportedly been informed and advised on how to secure their accounts.
Limits of Tor privacy revealed
New research by a team of computer scientists demonstrated that they were able to deanonymize 88% of Tor service websites. The deanonymization requires control of the Tor entry point for the machine hosting the hidden service. It also requires the attacker to have gained unique network characteristics, which serve as a fingerprint for that particular service. While the method isn’t perfect, the researchers claim their goal was to show to deanonymization is possible without the need monitor end-to-end traffic.
Tor is the most popular cloak of secrecy for criminals, activists, journalists and potentially terrorists, with many of the hidden services being highly illegal in their activities. It was disclosed that the FBI had managed to uncover a hidden child porn site and had left it running for some weeks in order to catch its visitors. This latest research is likely to be of great interest to such agencies and to governments worldwide and should leave Tor users, regardless their motives, sleeping a little less easily at night.