China’s security strategy may be to blame for App Store breach

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

China’s “Great Fire­wall,” which keeps users from access­ing Face­book, The New York Times, and oth­er sites seen as a threat to the Com­mu­nist Par­ty, might be part­ly to blame for a hack that infil­trat­ed the Apple App store in Chi­na. Hack­ers tar­get­ed soft­ware that devel­op­ers use to cre­ate apps for Apple’s App store. In Chi­na, access to for­eign web­sites can be spot­ty and slow. The hack­ers adver­tised a faster down­load for Apple’s devel­op­ment tool kit called Xcode that, instead of being host­ed on Apple’s offi­cial servers, was on Baidu’s cloud ser­vice, which hosts very fast down­loads. The mali­cious ver­sion of the tool kit then com­pro­mised some of the most pop­u­lar apps in Chi­na, includ­ing Ten­cent Hold­ings’ WeChat, Didi Dache, a stream­ing music ser­vice from Netease and a train-tick­et­ing site. “This is the most wide­spread and sig­nif­i­cant spread of mal­ware in the his­to­ry of the Apple app store, any­where in the world,” said, an activist site track­ing China’s Inter­net fire­wall. Source: For­tune

$1 million bounty offered to whoever cracks iOS9

sh_million dollars_260Secu­ri­ty firm Zerodi­um says it will pay $1 mil­lion to any­one who gives the com­pa­ny a hack­ing tech­nique that can remote­ly take over an Apple iPhone or iPad run­ning iOS 09 via a Web page the vic­tim vis­its, a vul­ner­a­ble app on the victim’s device, or by text mes­sage. The com­pa­ny says it’s will­ing to pay the boun­ty mul­ti­ple times, though it may cap the pay­outs at $3 mil­lion. “Due to the increas­ing num­ber of secu­ri­ty improve­ments and the effec­tive­ness of exploit mit­i­ga­tions in place, Apple’s iOS is cur­rent­ly the most secure mobile OS,” reads the state­ment on Zerodium’s web­site. “But … secure does not mean unbreak­able; it just means that iOS has cur­rent­ly the high­est cost and com­plex­i­ty of vul­ner­a­bil­i­ty exploita­tion and here’s where the Mil­lion Dol­lar iOS 9 Bug Boun­ty comes into play.” Source: Wired

Countries consider cyber code of conduct 

The Unit­ed States and Chi­na are work­ing on an agree­ment defin­ing rules of engage­ment for cyber war­fare. The nego­ti­a­tions are under way ahead of Chi­nese Pres­i­dent Xi Jinping’s offi­cial state vis­it this week, with a goal to announce the accord on Thurs­day. Under the terms of the agree­ment, nei­ther coun­try will be the first to launch cyber attacks on the other’s crit­i­cal infra­struc­ture, such as pow­er grids or cell­phone net­works, dur­ing peace­time. Intel­li­gence and defense agen­cies have expressed increased con­cern that util­i­ties are vul­ner­a­ble to a dev­as­tat­ing attack that some have described as a “cyber Pearl Har­bor.” One senior offi­cial involved in the dis­cus­sions says Pres­i­dent Oba­ma and Xi like­ly would announce a “gener­ic embrace” of a code of con­duct recent­ly adopt­ed by a Unit­ed Nations work­ing group. Source: The New York Times

Google’s appeal fails to appeal to French

sh_eiffel tower france_280France’s data pri­va­cy reg­u­la­tor reject­ed Google’s appeal of an order to remove search results world­wide upon request, say­ing that com­pa­nies that oper­ate in Europe need to abide by the pre­vail­ing laws. The agency known as CNIL denied that it was try­ing to apply French law on the “right to be for­got­ten” glob­al­ly, as Google had accused the watch­dog of doing. Its lat­est order came in response to the May 2014 rul­ing from Europe’s high­est court that peo­ple have the right to con­trol what appears when their name is searched online. It is up to the data pri­va­cy reg­u­la­tors of each coun­try to imple­ment the EU-wide deci­sions. Google says it has received 318,269 requests for removal, and delist­ed about 40 per­cent of the URLs that it eval­u­at­ed as part of the requests. Face­book links account­ed for the most of any sin­gle web­site, Google said. Google had no imme­di­ate response but has argued that agree­ing to the request would leave it—and the free flow of information—vulnerable to sim­i­lar orders from any gov­ern­ment, demo­c­ra­t­ic or total­i­tar­i­an. Source: ABC News

Paying the price

A for­mer Mor­gan Stan­ley finan­cial advis­er fired in con­nec­tion with a major breach of client infor­ma­tion plead­ed guilty to tak­ing con­fi­den­tial data for hun­dreds of thou­sands of cus­tomer accounts from a bank com­put­er with­out per­mis­sion. Galen Marsh worked in the pri­vate wealth man­age­ment divi­sion. The hear­ing came nine months after the bank announced it had fired him in con­nec­tion with a data breach that result­ed in account infor­ma­tion for hun­dreds of clients get­ting pub­lished online. Marsh copied names, address­es, account num­bers, invest­ment infor­ma­tion, and oth­er data for approx­i­mate­ly 730,000 accounts, pros­e­cu­tors said in court papers. In Jan­u­ary, Mor­gan Stan­ley said up to 10 per­cent of its approx­i­mate­ly 3.5 mil­lion wealth man­age­ment clients were affect­ed. Source: Reuters

Truth, justice and the cyber secure way

sh_election day_280More than two-thirds (68 per­cent) of infor­ma­tion secu­ri­ty pro­fes­sion­als would pre­fer to vote for a pres­i­den­tial can­di­date who has a strong cyber­se­cu­ri­ty pol­i­cy, accord­ing to a Trip­wire sur­vey of 210 infor­ma­tion secu­ri­ty pro­fes­sion­als. When asked what role cyber­se­cu­ri­ty pol­i­cy and reg­u­la­tion play in the upcom­ing pres­i­den­tial elec­tion, more than half of respon­dents (54 per­cent) said it would be a key issue. How­ev­er, near­ly a third (32 per­cent) of respon­dents acknowl­edged that while most can­di­dates will dis­cuss cyber­se­cu­ri­ty, these dis­cus­sions would be main­ly rhetoric. “It was sur­pris­ing to see the lev­el of skep­ti­cism in the infor­ma­tion secu­ri­ty com­mu­ni­ty,” said Tim Erlin, direc­tor of IT secu­ri­ty and risk strat­e­gy at Trip­wire. “A large per­cent­age, though not a major­i­ty, felt that cyber­se­cu­ri­ty pol­i­cy would not be a key issue in the upcom­ing elec­tion, either because of com­plex­i­ty or sim­ply inter­est.” Source: eWeek

Sharing may not be a choice

Most busi­ness­es don’t have cyber­se­cu­ri­ty insur­ance, with many not even aware such pro­tec­tion exists. Those that do have poli­cies may find them­selves at a loss if they don’t have the cor­rect cov­er­age. The solu­tion may be to man­date more data shar­ing and raise pub­lic aware­ness, accord­ing to speak­ers at a round-table orga­nized by soft­ware secu­ri­ty com­pa­ny Kasper­sky Lab. “The state can encour­age the shar­ing of data. Ide­al­ly it should be vol­un­tary, but if there is an absence of shar­ing, we would like the gov­ern­ment to enforce the shar­ing of data,” said Nick Beecroft, man­ag­er, emerg­ing risks & research, Lloyds. Recent cyber-crime inci­dents include an iden­ti­ty theft attack on Anthem Insur­ance that exposed 78.8 mil­lion records, as well as a 21 mil­lion record breach at the Office of Per­son­nel Man­age­ment; a 50 mil­lion record breach at Turkey’s Gen­er­al Direc­torate of Pop­u­la­tion and Cit­i­zen­ship Affairs; and a 20 mil­lion record breach at Russia’s Top­face. In total, 246 mil­lion records were com­pro­mised by crim­i­nal activ­i­ty in the first six months of 2015, accord­ing to sta­tis­tics pro­vid­ed by Gemal­to. Source: Bank­ing Tech

Looking over the border

sh_global security_280Bea­z­ley has joined forces with Lloyd’s syn­di­cates man­aged by Aspen and Brit Glob­al Spe­cial­ty to launch the Inter­na­tion­al Cyber Con­sor­tium, which will focus on pro­vid­ing data breach cov­er­age to busi­ness­es out­side the Unit­ed States with rev­enues in excess of $5 bil­lion. The secu­ri­ty under­pin­ning poli­cies will be 100 per­cent Lloyd’s, with Bea­z­ley as con­sor­tium man­ag­er and lead­ing on claims han­dling, Bea­z­ley said in a state­ment. “Busi­ness­es out­side the Unit­ed States are rapid­ly dis­cov­er­ing what U.S. busi­ness­es and their cus­tomers have known for some years: that a data breach is not a mat­ter of if, but when,” said Paul Bantick, head of Lon­don and inter­na­tion­al busi­ness for Beazley’s tech­nol­o­gy, media and busi­ness ser­vices focus group. Source: Insur­ance Journal

Don’t waffle when facing off with Facebook

Bel­gian reg­u­la­tors urged a judge not to be intim­i­dat­ed by Face­book as they sought an order forc­ing the com­pa­ny to change its pri­va­cy poli­cies to com­ply with local law. The Bel­gian Pri­va­cy Com­mis­sion is one of sev­er­al Euro­pean reg­u­la­tors that have tak­en issue with Facebook’s han­dling of user data. The Euro­pean Union’s 28 pri­va­cy watch­dogs are coor­di­nat­ing nation­al probes into pos­si­ble vio­la­tions of EU law by Facebook’s revamped pol­i­cy for han­dling per­son­al pho­tos and data. Dutch reg­u­la­tors were the first to step in after Face­book alert­ed its users in Novem­ber of changes effec­tive in Jan­u­ary. “Don’t be intim­i­dat­ed by Face­book,” Fred­er­ic Debussere, a lawyer rep­re­sent­ing the Bel­gian pri­va­cy com­mis­sion, told a Bel­gian court at a hear­ing in Brus­sels. “They will argue our demands can­not be imple­ment­ed in Bel­gium alone. Our demands can be per­fect­ly imple­ment­ed just in this coun­try.” Facebook’s said that it should only be sub­ject­ed to pri­va­cy laws in Ire­land, where the U.S. com­pa­ny has its Euro­pean head­quar­ters. Source: Bloomberg Busi­ness

Small businesses, big worries

sh_main street_280Wor­ries about cyber are at the fore­front of Main Street busi­ness­es, accord­ing to online pay­roll ser­vices provider Sure­Pay­roll. The company’s month­ly Small Busi­ness Score­card opti­mism sur­vey found that 60 per­cent of small busi­ness own­ers are con­cerned enough about cyber crime to take extra pre­cau­tions assur­ing their data is secure, up from 56 per­cent a year ago. “Small busi­ness own­ers under­stand that any sort of breach or lack of con­fi­dence when it comes to online secu­ri­ty could have a big impact,” said Sure­Pay­roll Gen­er­al Man­ag­er Andy Roe. Among the types of mea­sures small com­pa­nies are using to pro­tect their infor­ma­tion are fire­walls, off-site pro­tect­ed servers, mul­ti-fac­tor authen­ti­ca­tion, encrypt­ed emails and mul­ti­ple lay­ers of pass­word pro­tec­tion, Roe said. An over­whelm­ing major­i­ty of respondents—85 percent—said they would be will­ing to incon­ve­nience cus­tomers if it meant bet­ter pro­tect­ing their online secu­ri­ty when using the company’s prod­ucts, ser­vices or web­sites. Source: The (Chica­go) Dai­ly Herald