China’s security strategy may be to blame for App Store breach

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

China’s “Great Firewall,” which keeps users from accessing Facebook, The New York Times, and other sites seen as a threat to the Communist Party, might be partly to blame for a hack that infiltrated the Apple App store in China. Hackers targeted software that developers use to create apps for Apple’s App store. In China, access to foreign websites can be spotty and slow. The hackers advertised a faster download for Apple’s development tool kit called Xcode that, instead of being hosted on Apple’s official servers, was on Baidu’s cloud service, which hosts very fast downloads. The malicious version of the tool kit then compromised some of the most popular apps in China, including Tencent Holdings’ WeChat, Didi Dache, a streaming music service from Netease and a train-ticketing site. “This is the most widespread and significant spread of malware in the history of the Apple app store, anywhere in the world,” said Greatfire.org, an activist site tracking China’s Internet firewall. Source: Fortune

$1 million bounty offered to whoever cracks iOS9

sh_million dollars_260Security firm Zerodium says it will pay $1 million to anyone who gives the company a hacking technique that can remotely take over an Apple iPhone or iPad running iOS 09 via a Web page the victim visits, a vulnerable app on the victim’s device, or by text message. The company says it’s willing to pay the bounty multiple times, though it may cap the payouts at $3 million. “Due to the increasing number of security improvements and the effectiveness of exploit mitigations in place, Apple’s iOS is currently the most secure mobile OS,” reads the statement on Zerodium’s website. “But … secure does not mean unbreakable; it just means that iOS has currently the highest cost and complexity of vulnerability exploitation and here’s where the Million Dollar iOS 9 Bug Bounty comes into play.” Source: Wired

Countries consider cyber code of conduct 

The United States and China are working on an agreement defining rules of engagement for cyber warfare. The negotiations are under way ahead of Chinese President Xi Jinping’s official state visit this week, with a goal to announce the accord on Thursday. Under the terms of the agreement, neither country will be the first to launch cyber attacks on the other’s critical infrastructure, such as power grids or cellphone networks, during peacetime. Intelligence and defense agencies have expressed increased concern that utilities are vulnerable to a devastating attack that some have described as a “cyber Pearl Harbor.” One senior official involved in the discussions says President Obama and Xi likely would announce a “generic embrace” of a code of conduct recently adopted by a United Nations working group. Source: The New York Times

Google’s appeal fails to appeal to French

sh_eiffel tower france_280France’s data privacy regulator rejected Google’s appeal of an order to remove search results worldwide upon request, saying that companies that operate in Europe need to abide by the prevailing laws. The agency known as CNIL denied that it was trying to apply French law on the “right to be forgotten” globally, as Google had accused the watchdog of doing. Its latest order came in response to the May 2014 ruling from Europe’s highest court that people have the right to control what appears when their name is searched online. It is up to the data privacy regulators of each country to implement the EU-wide decisions. Google says it has received 318,269 requests for removal, and delisted about 40 percent of the URLs that it evaluated as part of the requests. Facebook links accounted for the most of any single website, Google said. Google had no immediate response but has argued that agreeing to the request would leave it—and the free flow of information—vulnerable to similar orders from any government, democratic or totalitarian. Source: ABC News

Paying the price

A former Morgan Stanley financial adviser fired in connection with a major breach of client information pleaded guilty to taking confidential data for hundreds of thousands of customer accounts from a bank computer without permission. Galen Marsh worked in the private wealth management division. The hearing came nine months after the bank announced it had fired him in connection with a data breach that resulted in account information for hundreds of clients getting published online. Marsh copied names, addresses, account numbers, investment information, and other data for approximately 730,000 accounts, prosecutors said in court papers. In January, Morgan Stanley said up to 10 percent of its approximately 3.5 million wealth management clients were affected. Source: Reuters

Truth, justice and the cyber secure way

sh_election day_280More than two-thirds (68 percent) of information security professionals would prefer to vote for a presidential candidate who has a strong cybersecurity policy, according to a Tripwire survey of 210 information security professionals. When asked what role cybersecurity policy and regulation play in the upcoming presidential election, more than half of respondents (54 percent) said it would be a key issue. However, nearly a third (32 percent) of respondents acknowledged that while most candidates will discuss cybersecurity, these discussions would be mainly rhetoric. “It was surprising to see the level of skepticism in the information security community,” said Tim Erlin, director of IT security and risk strategy at Tripwire. “A large percentage, though not a majority, felt that cybersecurity policy would not be a key issue in the upcoming election, either because of complexity or simply interest.” Source: eWeek

Sharing may not be a choice

Most businesses don’t have cybersecurity insurance, with many not even aware such protection exists. Those that do have policies may find themselves at a loss if they don’t have the correct coverage. The solution may be to mandate more data sharing and raise public awareness, according to speakers at a round-table organized by software security company Kaspersky Lab. “The state can encourage the sharing of data. Ideally it should be voluntary, but if there is an absence of sharing, we would like the government to enforce the sharing of data,” said Nick Beecroft, manager, emerging risks & research, Lloyds. Recent cyber-crime incidents include an identity theft attack on Anthem Insurance that exposed 78.8 million records, as well as a 21 million record breach at the Office of Personnel Management; a 50 million record breach at Turkey’s General Directorate of Population and Citizenship Affairs; and a 20 million record breach at Russia’s Topface. In total, 246 million records were compromised by criminal activity in the first six months of 2015, according to statistics provided by Gemalto. Source: Banking Tech

Looking over the border

sh_global security_280Beazley has joined forces with Lloyd’s syndicates managed by Aspen and Brit Global Specialty to launch the International Cyber Consortium, which will focus on providing data breach coverage to businesses outside the United States with revenues in excess of $5 billion. The security underpinning policies will be 100 percent Lloyd’s, with Beazley as consortium manager and leading on claims handling, Beazley said in a statement. “Businesses outside the United States are rapidly discovering what U.S. businesses and their customers have known for some years: that a data breach is not a matter of if, but when,” said Paul Bantick, head of London and international business for Beazley’s technology, media and business services focus group. Source: Insurance Journal

Don’t waffle when facing off with Facebook

Belgian regulators urged a judge not to be intimidated by Facebook as they sought an order forcing the company to change its privacy policies to comply with local law. The Belgian Privacy Commission is one of several European regulators that have taken issue with Facebook’s handling of user data. The European Union’s 28 privacy watchdogs are coordinating national probes into possible violations of EU law by Facebook’s revamped policy for handling personal photos and data. Dutch regulators were the first to step in after Facebook alerted its users in November of changes effective in January. “Don’t be intimidated by Facebook,” Frederic Debussere, a lawyer representing the Belgian privacy commission, told a Belgian court at a hearing in Brussels. “They will argue our demands cannot be implemented in Belgium alone. Our demands can be perfectly implemented just in this country.” Facebook’s said that it should only be subjected to privacy laws in Ireland, where the U.S. company has its European headquarters. Source: Bloomberg Business

Small businesses, big worries

sh_main street_280Worries about cyber are at the forefront of Main Street businesses, according to online payroll services provider SurePayroll. The company’s monthly Small Business Scorecard optimism survey found that 60 percent of small business owners are concerned enough about cyber crime to take extra precautions assuring their data is secure, up from 56 percent a year ago. “Small business owners understand that any sort of breach or lack of confidence when it comes to online security could have a big impact,” said SurePayroll General Manager Andy Roe. Among the types of measures small companies are using to protect their information are firewalls, off-site protected servers, multi-factor authentication, encrypted emails and multiple layers of password protection, Roe said. An overwhelming majority of respondents—85 percent—said they would be willing to inconvenience customers if it meant better protecting their online security when using the company’s products, services or websites. Source: The (Chicago) Daily Herald