Weekly Cybernote #7

For this latest edition of the Weekly Cybernote, we will expand on three hot topics that have been widely debated on the internet over the past week: the notorious hack on eBay’s website and the theft of its users’ data, the zero-day flaw identified on Internet Explorer 8 that had still not been fixed by Microsoft even after 7 months, and lastly, new revelations from WikiLeaks about the NSA. 

eBay victim of hacking: personal data of millions of users exposed
eBay, the online auction giant, was last week the victim of a major online attack that aimed to retrieve its users’ private data. As such, this cyber-attack compromised the American giant’s databases, which contained among other things its users’ encrypted passwords. Following the detection of this attack, eBay decided to act in full transparency and reacted quickly by asking users to change their passwords as quickly as they could. Fortunately, only a tiny portion of eBay users were affected by this attack – those who accessed the site between late February and early March. Apparently, eBay discovered this attack about two weeks ago. eBay has indicated that it is currently working with a team of experts to identify the masterminds of this attack, who are still unknown. The only upside: PayPal data of users of the auctioning service was intact, as it is stored separately in encrypted formats.

Internet Explorer 8: a zero-day vulnerability of more than 7 months still unfixed
The Redmond-based firm dropped a bombshell last week – it was discovered that Microsoft had not fixed a security flaw affecting its web browser Internet Explorer 8, which dates back to October 2013. This is no small flaw, since it would allow users to install malicious code on workstations in order to take full control of them. It is currently estimated that more than 20% of Microsoft users surf the net using IE8, making it an even more dangerous vulnerability. For a hacker to exploit this flaw, he would need to trick his potential victim into visiting a website that has been specially crafted for this purpose, in IE8 of course. Conventional methods (phishing e-mails, instant messages containing fraudulent links etc) may help a hacker to launch his attack. This vulnerability was discovered in October 2013 by Peter Van Eeckhoutte, a Belgian researcher, during the Zero Day Initiative program. Despite this discovery, Microsoft has still not done anything ever since then to fix the flaw. Microsoft has communicated on the subject by asking its users to install the patch released urgently at the beginning of the month. Arkoon+Netasq’s ExtendedXP allows protecting workstations running on Windows XP and using Internet Explorer 8.

WikiLeaks: the NSA allegedly recorded all communications in Afghanistan
The famous whistle-blowing website WikiLeaks has just revealed that Afghanistan is the second country in which the NSA has recorded all cell phone communications. This is the country that the media such as The Washington Post and The Intercept had preferred not to name for security reasons. WikiLeaks has stated that it does not wish to name the source of this revelation in order to protect it. Julian Assange’s service therefore continues to stand up to state censorship, going as far as to claim that to date, no proof has been submitted by any government organization to show that any of the eight million publications revealed by WikiLeaks has prejudiced anyone in particular. For WikiLeaks, hiding such information would therefore condone and participate in this organized censorship.

Weekly Cybernote #6

For today’s Weekly Cybernote, we will focus on two security-related current events that have been highly discussed on the web for more than a month and a half now: the end of support for Windows XP and the Heartbleed flaw. We will also talk about Adobe, whose Creative Cloud experienced a huge outage last week.

Attacks on Windows XP and still no fix from Microsoft
The Redmond vendor remains firm on its decision to end support for Windows XP and refuses to fix a bug in Internet Explorer that has already been exploited by hackers. Microsoft and external security experts have indicated that hackers had been exploiting a vulnerability in Internet Explorer under Windows XP and on the last Patch Tuesday, no fix was provided to resolve the issue, in line with the decision to cease all support for the system. The bug, which has been identified with the reference CVE-2014-1815, is one of two critical vulnerabilities affecting IE6, IE7, IE8, IE9, IE10 and IE11 and patched by Microsoft last Tuesday. In the Security Advisory, the vendor pointed out that the vulnerability was already known and was already exploited by hackers even before this update. However, since Windows XP has stopped being supported since April, XP users did not receive a security patch for IE, unlike users of Windows Vista, Windows 7 and Windows 8. Arkoon+Netasq’s ExtendedXP allows keeping Windows XP workstations safe in the best security conditions.

Heartbleed: errors observed in the application of certificates and bug fixes
Despite the swift measures taken by certain sites to protect themselves from the Heartbleed attack, some of them realized that they were not better protected than before, and in some cases, found themselves even more exposed. After having fixed their version of OpenSSL following the Heartbleed attack on April 7th, many sites also went on to revoke their compromised SSL certificates by replacing them with new certificates. But according to a survey, 30 000 sites received replacement certificates based on the same compromised private key used in previous certificates. This means that anyone who managed to steal the private key of one of these servers before it was patched can still use the key to trick the server by launching a man-in-the-middle attack.

Adobe’s Creative Cloud hit by a huge outage
Almost all the services and solutions in Adobe’s Creative Cloud suite were inaccessible throughout several regions worldwide, including Europe. At the time of writing, the problem was still unresolved and Adobe’s teams are looking into the cause of the malfunction. Only the file synchronization service escaped unharmed from this giant outage. At the same time, new accounts (Adobe ID) still cannot be created, as is the case with all Creative Cloud subscriber services. This is Adobe’s first major breakdown since the launch of Creative Cloud in June 2013.

Weekly Cybernote #5

For this latest edition of the Weekly Cybernote, we will first of all look at the data theft that took place last week at Orange, then go on to how a German hacker was able to prove that even the website of a giant such as the NSA can present obvious security flaws. To conclude, we will return to the topic of data theft, the cost of which has gone up by 9% in the US in 2014.

New data theft incident at Orange
Within the space of three months, customer data was stolen twice from the telecoms operator Orange in France. In all, at least 1.3 million people are affected by this incident of theft, compared to 700,000 in January. This incident does not affect just subscribers, but prospective clients and other service providers as well. The operator therefore had to activate a crisis communication procedure and inform all parties involved of the risks of phishing attacks that they might encounter. The fact that Orange chose to communicate on the subject was not for the sake of transparency, but simply because operators have a legal duty to notify the CNIL – the French data protection authority – of such thefts and inform the persons involved of the risks they are exposed to when their data is no longer anonymous. New regulations that will soon be in force in France and in Europe are expected to push companies to report data thefts to their clients on a more regular basis and to play the transparency card. Even though Orange was well aware that data had been stolen, many French companies, even the big ones, are not as well-versed in cybersecurity and fall victim to major attacks and data theft without even realizing it.

German hacker detected two vulnerabilities on the NSA website
It is amazing how you can be a giant in electronic intelligence, invest billions in technology and still have a poorly secured website! Matthias Ungethüm, a German security researcher, found and exploited two security flaws on the NSA’s homepage. The first vulnerability allowed him to inject code directly into the page, using cross-site scripting. By clicking on a link specifically created for that purpose, an internet user will not access the actual NSA page but a modified copy that looks exactly the same. As for the second vulnerability, it is more problematic. According to the hacker, it allows injecting SQL code in order to access databases relating to the web server, with the obvious purpose of siphoning them. To avoid attracting legal trouble, the hacker did not go further than just discovering the vulnerabilities. He simply confirmed that they indeed existed, while explaining that it does not take much technical expertise to exploit them. He did nonetheless alert the NSA, but has yet to hear from them.

The cost of data violation went up by 9% in the US in 2014
According to the 9th Cost of a Data Breach report published by the Ponemon Institute, the average cost of each data breach has reached 200 dollars in 2014 in the United States, an increase from $188 in 2013. The report therefore revealed an overall increase of 9% in terms of the cost of data violation in the United States, representing a total of 5.4 million dollars in 2014. 61 American corporations, representing 12 different activity sectors, participated in this survey and were exposed to this type of attack. More than 500 people were interviewed directly in the corporations involved and in government organizations. The industries that were most severely affected were healthcare, transportation, power production, financial services, communications, pharmaceuticals and the manufacturing sector.

Weekly Cybernote #4

For this latest edition of the Weekly Cybernote, we have chosen three hot topics that have made waves this week in the cybersecurity ecosystem. First of all, we will talk about the notorious vulnerability on Internet Explorer that gave Windows XP users quite a scare. Then, we will continue on the subject of browsers with the flaw that targets Safari in Mac OSX. Lastly, we will discuss France’s place in the annual number of cyber-attacks. 

The zero-day vulnerability on Internet Explorer fixed in Windows XP
Microsoft seems to have hogged the headlines this week, with a zero-day flaw targeting Internet Explorer. Having announced the end of support for Windows XP on April 8th, Microsoft had decided not to provide any patches for this vulnerability under the OS. On May 1st, Microsoft obviously had a change of heart and provided a security patch (MS14-021) that is valid for all versions of Internet Explorer (IE6 to IE11), and for all versions of Windows (including XP). Adrienne Hall, General Manager at Microsoft, also explained that the buzz surrounding this vulnerability had been exaggerated, as very few attacks had been launched on this particular flaw. Whatever it is, people are starting to wonder what Microsoft’s position is with regard to Windows XP, which was supposed to no longer be patched since 8 April. 

A security flaw that went unfixed for three weeks on Safari iOS
Safari may not create as much buzz as Internet Explorer due to a smaller following, but security issues have clearly marred Apple’s signature browser. According to a former Apple security engineer, iOS users remained exposed to known security issues – previously patched in Safari for Mac OSX – for more than three weeks. In short, the vendor let three weeks go by between its patch for Safari Mac and the one for Safari iOS. Kristin Paget, the security researcher in question, left Apple in late January to join Tesla Motors. Incidentally, she was a vocal critic of the way Apple delivered fixes.

France one of the top 5 European nations exposed to advanced threats
According to a report published by FireEye, France was in the top 5 European countries most affected by targeted attacks. It even holds the record number of economic sectors hit by professional cybercriminals. From agriculture to finance, and technology and education, all sectors were recently treated to their dose of advanced and targeted attacks, commonly known as APTs. France came in fifth among the European national with the highest number of APTs, behind Germany, the UK, Switzerland and Luxemburg. The sectors that were affected the most were the public sector (25%) and finance (22%).