In the headlines: UK surveillance policies leak; DDoS attacks; Australia’s Cyber Security Strategy; Facebook hack, and more

UK surveillance policies leaked online

UK privacy campaigners Privacy International have managed to get their hands on, and subsequently have released a set of UK surveillance policies. What these policies reveal are the extent to which government agencies such as MI5 and GCHQ have access to citizen data from entities such as the NHS, petition sites, trade unions, telecommunication providers and the police. Basically, the government has every bit of data out there about every British citizen and while much of it is of little interest it does lend itself to some Orwellian paranoia. This mass collection of data is apparently possible to due to the 1984 Telecommunications Act (appropriate choice of year there), and are now being ratified through the UK Investigatory Powers Bill, which we’ve blogged about in the past.

What really lies behind some of the bigger DDoS attacks?

Police are reportedly now taking DDoS attacks more seriously, thanks in part to last year’s TalkTalk hack. That high profile hack began with a DDoS attack but turned out to actually be a shield for a SQL Injection attack carried out at the same time. The National Crime Agency’s head of operations spoke at a conference this week and admitted that the police were now having to take these increasingly common attacks more seriously, undoubtedly placing increasing strain on an already under-resourced area of the police force.

Singapore brings in penalties for firms suffering data breaches

In a similar manner to the Information Commissioner’s Office of the UK, the Personal Data Protection Commission of Singapore has started giving out fines to firms who fail to adequately protect consumer information. Those to receive fines so far include tech brand Xiaomi, an IT chain called Challenger Technologies and K Box Entertainment Group. Since the Personal Data Protection Act was rolled out in 2014, the department has investigated 667 cases of which 92% were apparently resolved through ‘investigation and facilitation’. All public sector organisations and government agencies are exempt from the act, which is designed only to address the private sector.

Oracle patch 136 Vulnerabilities

Oracle have this month released a huge patch update, reportedly fixing 136 vulnerabilities across their range of technologies and software. Five of these issues affect the Oracle Database Server, while 22 are related to the Oracle Fusion Middleware. Seven of the 136 vulnerabilities received the maximum CVSS score of 10 and the oldest issue patched dates back to 2011. Another critical patch update is expected to be delivered in July.

China takes a chunk of out of Apple’s regional profits

In the wake of Edward Snowden’s leaks, China has been gradually withdrawing its approval or censoring a number of tech giants, including Google, Cisco, Intel and McAfee amid fears of espionage. However, it’s also believed some of these are acts of censorship against Western ideology and this latest step against Apple certainly seems to fall into that category. Regulators in Beijing have reportedly demanded the closing of Apple’s iBooks store and its iTunes movies service, content products which contribute to 3% of Apple’s overall profits.

Australia to get a cyber minister

This week the Australian Prime Minister Malcolm Turnbull is due to announce a $240m cybersecurity strategy. The focus of this strategy is to enable greater collaboration between businesses and the government, in a similar way to plans laid out in the US. Millions have already been set aside by the government under various other funds and strategies to address cyber security. While we’re yet to receive the full details of this new strategy, we know that it does include the appointment of a dedicated minister to assist the PM on cyber security matters and also the appointment of a special adviser to sit within the same department as the PM and his Cabinet.

Survey shows decline in public trust of Internet

A recent survey of over 24,000 Internet users has revealed that 83% of people believe new rules and laws are required to govern how companies and governments can use personal data. 85% also believe that their own governments need to work more closely with third parties and foreign countries to make the Internet more secure. More than half of respondents also admitted to being more concerned about their online privacy than they were a year ago.

Ministry of Defence contractor hacked

Confirmation has now been made of rumours circulating about the Ministry of Defence (MoD) having been hacked and personnel details exposed. The leak came from a third party company funded by the MoD called Niteworks, who according to a press release offer ‘wide-ranging expert advice in support of armed forces operations and capability planning, including the delivery of effective training through defending against cyber attack”. Oh the irony. A total of 831 sets of personal details are believed to have been leaked and their website was also defaced as part of the attack. It’s unknown who made the attack and whether there are any further consequences besides accessing the site’s data.

Researcher claims to have hacked Facebook and found he wasn’t the first

A Taiwanese pen-tester has this week claimed to have found a backdoor in a Facebook staff server, which already had malware installed in order to capture all the logins of anyone using the machine. He has since published a full write-up but fortunately it appears that the backdoor was set up by another security researcher. Facebook have rewarded the bounty hunter for his work and confirm that no user data has been affected. The server affected was running third party software and therefore had been purposely isolated.

Adobe patch an XSS flaw in Flash library app

Yes, poor beleaguered Flash again. This time the vulnerability patched was in the Adobe Analytics AppMeasurement app, which can be added to the Flash library to measure usage. This particular vulnerability was described as a DOM-based Cross Site Scripting flaw, which could allow cookie theft and result in malicious JavaScript execution. Adobe have advised that this flaw only poses a risk when the ‘debugTracking’ is enabled, which is usually disabled by default. Regardless, they have now issued a patch to all users.