Google calls Wassenaar rules unfeasible
The Wassenaar rules’ potential transposition into US law came to light a few weeks ago and just as the open comments on the proposal come to an end, Google have officially spoken out against the proposal.
“We believe that these proposed rules, as currently written, would have a significant negative impact on the open security research community. They would also hamper our ability to defend ourselves, our users, and make the web safer. It would be a disastrous outcome if an export regulation intended to make people more secure resulted in billions of users across the globe becoming persistently less secure,” Neil Martin, export compliance counsel at Google, and Tim Willis of the Google Chrome security team, wrote in a post on Google’s blog.
Google’s main issue is with the rules’ definition of intrusion software, which as it currently stands would prevent anyone with unpublished security research from leaving the US with it (to travel to a security conference for example) without first publishing it or disclosing it to the NSA. The post also states that Google have given lengthy feedback on the proposals. It remains to be seen if they will be subject to any changes or passed into law.
Hack of adult cheating site exposes 37 million users
One of America’s most prominent dating sites, Ashleymadison.com which gives users the means to cheat on their spouses, has been hacked. A total of 37 million sets of user details including real names, credit card details, photos and chat logs. The group taking credit for the hack are dubbed ‘The Impact Team’ who apparently targeted the site due to moral objections to their business model. They also pointed out that the site was charging users for ‘full delete’ (i.e removing all user data) when in fact they were retaining payment information including names and addresses. An investigation is underway but users of the site should be worried.
Hackers wirelessly control and kill a Jeep
One of the latest hacking research projects has taken Twitter by storm and with good reason. The internet of things has been a subject looming large in the sphere of cyber security and this latest demonstration is scarier than most. Two hackers, Charlie Miller and Chris Valasek invited WIRED journalist Andy Greenberg to be their guinea pig as they demonstrated their ability to hack and control a Jeep while it was travelling on a highway. They hijacked the sound system, set off the wipers and then killed the transmission from their base ten miles away. Andy Greenberg felt it was too dangerous and even called them to stop.
The possibility of hacking cars, or rather the computers which control their electronics is not completely new and had been demonstrated by the same hackers and journalist back in 2013. The difference is that now they can do it wirelessly. You don’t need the greatest of imaginations to imagine the terrifying possibilities for this type of attack, nor the huge costs for car manufacturers who would need to somehow update or even recall thousands or even millions of affected cars.
CVS pharmacy chain suffers breach
The latest health company breach has been disclosed, this time affecting pharmacy chain CVS. Fortunately, this is not medical data which has been affected, but rather customers of their photo center, cvsphoto.com. This news comes as part of a larger breach originating from the independent vendor which manages the service, other retailers such as Walmart Canada and Costco may also have been affected.
Four zero days disclosed in Internet Explorer
It seems to be the month of the zero days. Adobe have just released the update with patches for several Flash vulnerabilities uncovered by the Hacking Team breach and Oracle fixed 93 bugs last week. Now it’s the turn of ailing browser Internet Explorer, with a recent security initiative having uncovered four new vulnerabilities at November’s ‘Pwn2Own’ event.
Microsoft were apparently informed at the time but it’s the policy of the initiative to release the details 120 days after discovery, whether the vulnerability has been patched or not. Their statement details the worst of these vulnerabilities
“The vulnerability relates to how Internet Explorer processes arrays representing cells in HTML tables. By manipulating a document’s elements an attacker can force a Internet Explorer to use memory past the end of an array of HTML cells.”
This would basically allow an attacker to add and execute malicious code as part of the usual processes of the browser. The other vulnerabilities relate to how IE handles objects. As none of these vulnerabilities have been patched and the details have now been published it would be advisable to avoid using Internet Explorer until the vulnerabilities have been fixed.