STE WILLIAMS

Britain’s Home Secretary Theresa May revealed today that Brit spooks have, for years, been using section 94 of the 1984 Telecommunications Act to intercept bulk communications data of people in the UK.

Her comments came as the Secretary of State introduced her 299-page-long draft Investigatory Powers Bill [PDF] to the House of Commons on Wednesday.

Under the proposed law, s.94 of the Telecomms Act will be repealed and replaced with a new “Bulk Acquisition” warrant to allow spooks to intercept comms data.

May said that key aspects of the proposed legislation included the “use of equipment interference powers to obtain data covertly from computers” including the bulk slurping of such data to try to hunt down terror and criminal suspects overseas.

The Home Sec continued: “This Bill will also allow the police to identify which communications services a person or device has connected to – so-called internet connection records.”

She claimed that it was wrong for such actions to be “characterised” as “having access to people’s full web browsing histories. Let me be clear – this is simply wrong.”

May added:

An Internet Connection Record is a record of the communications service that a person has used, not a record of every web page they have accessed.

So, if someone has visited a social media website, an Internet Connection Record will only show that they accessed that site, not the particular pages they looked at, who they communicated with, or what they said.

It is simply the modern equivalent of an itemised phone bill.

The government had originally hoped to push the investigatory powers legislation through the Palace of Westminster before DRIPA’s sunset provision expires at the end of 2016.

However, it will need to happen sooner than that now: the Data Retention and Investigatory Powers Act – which was rushed through Parliament as an “emergency” measure backed by all sides of the House in 2014 – was found to be unlawful by the High Court in July this year.

It means the government only has until March next year to rewrite DRIPA or all together replace it with fresh legislation.

One of the key things to come out of that decision was that judicial oversight of poking around and retaining netizens’ web data needed to be baked into DRIPA to square it with the European Court of Justice and Blighty’s High Court.

So any noise today about the government making concessions to placate privacy advocates is in fact a red herring, since it’s now required by law to ensure such judicial oversight is there from the get-go.

The full draft Investigatory Powers bill can be viewed here [PDF].

May told MPs that she planned to publish a revised IPB in the spring, after the current draft has been scrutinised by peers and politicos. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/04/investigatory_powers_bill/

Ransomware-peddling cybercrooks have come up with a sinister twist to their increasingly well-worn scam – online publishing.

Instead of just simply encrypting files on compromised Windows PCs, the relatively new Chimera ransomware offers victims a threat – if they don’t pay up, their data will be published online, presumably for all the world to see.

Scam emails punting the menace appear under the guise of job applications or business offers. Security researchers from anti-malware firm Botfrei spotted the ransomware, which is said to be targeting German SMBs.

If activated, Chimera also attempts to encrypt network drives connected to compromised Windows PCs, as a blog post by Botfrei explains.

So this is full-spectrum blackmail, providing cybercrooks are actually in a position to deliver on their threats. However, that seems far from certain.

For one thing, even Botfrei reports there is no evidence that personal data has actually been published on the internet. It doesn’t know whether private keys are handed over if victims meet extortionate payments either. All it knows is that the scam has been doing the rounds in Germany for at least the last couple of weeks.

Ransomware normally works by encrypting files on local machines without siphoning it off and storing it on the cloud. And there’s no immediate technical difference that would show Chimera ransomware is capable of any such thing.

Troy Gill, manager of security research at AppRiver, commented: “While this specific threat is a new addition to the crypto ransomware malware family, it is in perfect keeping with typical malware attacks. Making threats is the name of the game when it comes to ransomware or ‘scareware’.”

He added: “However, I think it is very unlikely that the victim is in any real danger of having their actual documents posted online. With all instances of cryptographic ransomware that we have observed in the past few years, all have simply encrypted the users files on their machine.

“None have shown any evidence that the documents were exfiltrated from the victims machine. Doing so would be a significant increase in risk for the attacker with much less reward,” Gill said, adding that Chimera is “essentially a variant of CryptoLocker with the added scareware element”.

“If this tactic (of threatening to release documents online) proves to increase the attackers effectiveness then we can rest assured it will become more widespread,” he concluded.

Whether the tactic will work is far from certain. Leaking otherwise locked-up data might actually suit some victims.

Ransomware, in general, highlights the need to keep backups, run up-to-date security software and apply common sense while surfing online, especially when it comes to opening suspicious email attachments and the like.

None of this is certain but anything that minimises the chances of getting infected ought to be encouraged. ®

Sponsored:
2015 Cost of Cyber Crime Study: United States

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/04/chimera_ransomware_publish_online/

A secret database of citizens’ personal lives and habits isn’t explicitly spelled out in the UK’s latest surveillance law. No, instead, it’s described as a set of “request filters.”

The term is buried in the draft Investigatory Powers Bill (IPB), which was introduced to Parliament on Wednesday. Turn to page 254 of the 299-page document [PDF], and you’ll find it under “Clause 51: Filtering arrangements for obtaining data.”

Such arrangements, the proposed law states, will be implemented by the Secretary of State, and no mention is made of any judicial oversight.

The request filters are ways in which the authorities can, without a court warrant, search for and organize information on citizens from their “internet connection records,” which are held for 12 months, presumably stored by the ISPs. These records include details such as your IP addresses, the websites you visit, when you visit them, and where you connect from.

Two example request filters are cited in the IPB. The first is IP address associations, allowing snoops to narrow down who is using a particular website:

An investigator has details of a number of IP addresses which they believe relate to a specific individual, and have been used to access internet services at known times.

However, each IP address cannot be resolved to a single individual because at the known time it has been simultaneously shared between many internet users. In this example, the Request Filter would be able to match the specific individual in common between the users of each of the IP addresses, then disclose only the communications data about that specific individual to the public authority.

Without the Request Filter, telecommunications operators would need to disclose details of every individual that had shared the IP addresses at the relevant times, and an analyst working in the public authority would examine all of the individuals’ data to obtain the same result.

The second example cited is “location correlation,” which again points to a request filter being used. Both examples, of course, demonstrate that this is a database by another name.

In subsequent clauses, the bill goes on to state that the investigatory powers watchdog will have “rigorous oversight and control” of the request filters, seemingly based on details provided in an annual report that’s submitted by senior operatives of the database.

Telco lobby group ISPA offered up its initial take on the proposed legislative overhaul:

The Draft Bill is highly complex and some of the provisions seem to be an extension of existing powers: for example the inclusion of a “request filter” and how Internet Connection Records are defined.

ISPA will be responding more fully in the coming days on the implications of the new legislation.

The cryptically named request filters had formed part of UK Home Secretary Theresa May’s draft Communications Data Bill in 2012. It even came under scrutiny from the UK’s Information Commissioner Office (ICO), which demanded details about the opaque system from the Home Office.

Later, in light of the Snowden revelations, the ICO had this to say:

Using technology to help enhance privacy, not just to erode it, is possible and can help meet the twin objectives of security and privacy protection. The potential for this was recognised in the Government’s Draft Communication Bill published in June 2012, which included provisions for the establishment of a “request filter.”

This would have ensured that only information of concern is passed on to investigative bodies, without the need for any intrusive or unreliable human intervention, and would have allowed communications data of no concern to be promptly deleted.

Recent reports have suggested that security agencies are performing quite the opposite by building their own collection, storage, filter, and analysis mechanisms.

Based on the ICO’s logic, the UK government simply needs to be transparent about such a database with citizens and regulators, and then it can slurp away. ®

Sponsored:
2015 Cost of Cyber Crime Study: United States

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/04/ukgov_request_filter_in_snooping_bill/

Thanks to new and upcoming mobile apps, members of the public who feel they’ve been unfairly stopped or even harassed by the police won’t have to rely solely on police records or recordings to make their case.

Instead, the apps enable you to monitor how stop and search is conducted, either of yourself or someone else, and helps you to film and collect your own evidence and share it with civil rights groups.

The apps work by enabling users to instantly record police encounters and, at the push of a button, to send the recording to advocates who can intervene and/or offer legal advice.

The UK app is called Y-Stop.

It was co-produced by the London-based charities Release and StopWatch.

The app is available for Android and iOS as part of a wider scheme to manage the interaction between police and young people, many of whom don’t understand their rights or how to behave during a police encounter.

Y-Stop enables onlookers, or people involved in police encounters, to instantly record and report the experiences.

Y-Stop also offers users education about their rights and how to behave when being stopped and searched, as well as enabling them to file complaints directly to the police (with a copy going to Y-Stop), and get in contact with lawyers and experts for support.

The collective behind Y-Stop says in its mission statement that two years of research have shown that police encounters with young people are often confusing and stressful, as well as being divisive within communities:

We found out stop and search is a disempowering, frightening and frustrating experience for young people across the UK. It has a serious impact on communities too, creating a complete lack of trust and confidence in the police, as a result of the suspicion, neglect and prejudice we often face. 

In the US, a similar app, called Mobile Justice, is due to be released by the American Civil Liberties Union (ACLU) on Nov. 13, 2015.

#FilmThePolice w/ our #MobileJustice app, coming to 17 states on Nov. 13. Help spread the word: https://t.co/1BZwphnTXm #Blacklivesmatter

— ACLU National (@ACLU) November 2, 2015

ACLU National ✔ @ACLU
#FilmThePolice w/ our #MobileJustice app, coming to 17 states on Nov. 13. Help spread the word: https://www.thunderclap.it/projects/31881-keep-calm-and-hit-record?locale=en … #Blacklivesmatter

The free mobile app will be available on Android and iOS for use in 17 states and in Washington, D.C.

Mobile Justice will enable users to:

• ​​​Submit recordings directly and securely to your local ACLU affiliate.
• Get instant location alerts from fellow app users nearby.
• Access the ACLU’s “Know Your Rights” materials.
• Keep up-to-date on local and statewide ACLU actions and events.

Follow @NakedSecurity
Follow @LisaVaas

Image of Woman filming police on mobile phone courtesy of arindambanerjee / Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/GNw2wyknCTs/

Thanks to new and upcoming mobile apps, members of the public who feel they’ve been unfairly stopped or even harassed by the police won’t have to rely solely on police records or recordings to make their case.

Instead, the apps enable you to monitor how stop and search is conducted, either of yourself or someone else, and helps you to film and collect your own evidence and share it with civil rights groups.

The apps work by enabling users to instantly record police encounters and, at the push of a button, to send the recording to advocates who can intervene and/or offer legal advice.

The UK app is called Y-Stop.

It was co-produced by the London-based charities Release and StopWatch.

The app is available for Android and iOS as part of a wider scheme to manage the interaction between police and young people, many of whom don’t understand their rights or how to behave during a police encounter.

Y-Stop enables onlookers, or people involved in police encounters, to instantly record and report the experiences.

Y-Stop also offers users education about their rights and how to behave when being stopped and searched, as well as enabling them to file complaints directly to the police (with a copy going to Y-Stop), and get in contact with lawyers and experts for support.

The collective behind Y-Stop says in its mission statement that two years of research have shown that police encounters with young people are often confusing and stressful, as well as being divisive within communities:

We found out stop and search is a disempowering, frightening and frustrating experience for young people across the UK. It has a serious impact on communities too, creating a complete lack of trust and confidence in the police, as a result of the suspicion, neglect and prejudice we often face. 

In the US, a similar app, called Mobile Justice, is due to be released by the American Civil Liberties Union (ACLU) on Nov. 13, 2015.

#FilmThePolice w/ our #MobileJustice app, coming to 17 states on Nov. 13. Help spread the word: https://t.co/1BZwphnTXm #Blacklivesmatter

— ACLU National (@ACLU) November 2, 2015

ACLU National ✔ @ACLU
#FilmThePolice w/ our #MobileJustice app, coming to 17 states on Nov. 13. Help spread the word: https://www.thunderclap.it/projects/31881-keep-calm-and-hit-record?locale=en … #Blacklivesmatter

The free mobile app will be available on Android and iOS for use in 17 states and in Washington, D.C.

Mobile Justice will enable users to:

• ​​​Submit recordings directly and securely to your local ACLU affiliate.
• Get instant location alerts from fellow app users nearby.
• Access the ACLU’s “Know Your Rights” materials.
• Keep up-to-date on local and statewide ACLU actions and events.

Follow @NakedSecurity
Follow @LisaVaas

Image of Woman filming police on mobile phone courtesy of arindambanerjee / Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/GNw2wyknCTs/

Information about the data breach at UK telecom group TalkTalk has continued to drip out since the company announced a “cyberattack” on its website (on 22 October 2015).

Yet, with every new piece of the puzzle, we seem to get no closer to the truth about what exactly happened, who was responsible, and what TalkTalk is doing to fix this messy affair.

On a positive note, the police seem to be making progress in the breach investigation.

Two more suspects were arrested in recent days, The Metropolitan Police announced: a 20-year-old man at an address in Staffordshire; and a 16-year-old boy in Norwich, arrested Tuesday (3 November 2015), became the fourth suspect arrested in connection with the breach.

Two teenaged boys (ages 15 and 16) were previously arrested on suspicion of Computer Misuse Act offenses, but the police haven’t said anything more about what these four young men are suspected of doing, and for what purpose.

TalkTalk has continued to update the public on the breach at a dedicated webpage, and on Friday (30 October 2015), the company was finally able to explain precisely how much data was lost:

• Fewer than 21,000 unique bank account numbers and sort codes
• Fewer than 28,000 obscured credit and debit card details (unencrypted, but with the middle 6 digits removed)
• Fewer than 15,000 customer dates of birth
• Fewer than 1.2 million customer email addresses, names and phone numbers

Although bank account numbers on their own can’t be used by cybercriminals for fraud, TalkTalk says, customer names, email addresses, birth dates and phone numbers can be used for a variety of scams and phishing attacks.

TalkTalk CEO Dido Harding made yet another statement, confirming that the scale of the attack was “much smaller” than initially thought, but:

… this does not take away from how seriously we take what has happened and our investigation is still on going. On behalf of everyone at TalkTalk, I would like to apologise to all our customers. We know that we need to work hard to earn back your trust and everyone here is committed to doing that.

We’ll have to assume that Harding hasn’t read Naked Security writer Mark Stockley’s tongue-in-cheek but dead accurate take on what companies sound like after a data breach.

If she had, she would have known that comments about just how “seriously” she takes a security breach of this magnitude only makes it sound like it wasn’t all that serious a consideration beforehand.

With her numerous public statements, Harding has given the appearance of  transparency, but she may only be muddying the waters with contradictory and even factually incorrect statements.

For example, Harding may have been correct in saying that TalkTalk was “not legally required” to encrypt customer data under the 1998 Data Protection Act, but she also stated that “we don’t store unencrypted data on our site,” according to a thorough tick-tock of the data breach compiled by The Register.

The UK Parliament is launching an inquiry into the breach, and will likely look into making data encryption compulsory for firms holding customer data, the BBC reported.

Encryption wouldn’t have helped keep TalkTalk customers’ data safe though if the attackers prized it out with a SQL injection attack (something Harding may have been suggesting when she incorrectly said that TalkTalk was the victim of a “sequential attack“.)

TalkTalk and Harding initially suggested that the website was knocked out by a denial-of-service attack but have yet to explain how that was that connected to the data breach.

Harding also got ahead of herself when she told the BBC that she had received a ransom demand for the stolen data.

After these public relations blunders, TalkTalk has clammed up about how the attack happened, saying in its FAQ that the “attack is the subject of a criminal investigation by the police so we can’t make any further comment.”

Speaking of which, TalkTalk released a statement from a Detective Superintendent Jayne Snelgrove of the Metropolitan Police Cyber Crime Unit, who said:

TalkTalk have done everything right in bringing this matter to our attention as soon as possible. Our success relies on businesses being open with us and each other about the threats they encounter.

Meanwhile, TalkTalk has only just begun (as of 30 October 2015) contacting those customers whose data was accessed.

Countless companies have had similar troubles after a data breach, and getting it right is obviously not easy.

But TalkTalk seems to have done little right apart from getting law enforcement involved and offering an apology – and it has a lot of work to do to earn back customers’ trust if it wants to hang on to them.

Follow @NakedSecurity
Follow @JohnZorabedian

Image of man screaming courtesy of Shutterstock.com.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/_UXdYN18X-s/

Information about the data breach at UK telecom group TalkTalk has continued to drip out since the company announced a “cyberattack” on its website (on 22 October 2015).

Yet, with every new piece of the puzzle, we seem to get no closer to the truth about what exactly happened, who was responsible, and what TalkTalk is doing to fix this messy affair.

On a positive note, the police seem to be making progress in the breach investigation.

Two more suspects were arrested in recent days, The Metropolitan Police announced: a 20-year-old man at an address in Staffordshire; and a 16-year-old boy in Norwich, arrested Tuesday (3 November 2015), became the fourth suspect arrested in connection with the breach.

Two teenaged boys (ages 15 and 16) were previously arrested on suspicion of Computer Misuse Act offenses, but the police haven’t said anything more about what these four young men are suspected of doing, and for what purpose.

TalkTalk has continued to update the public on the breach at a dedicated webpage, and on Friday (30 October 2015), the company was finally able to explain precisely how much data was lost:

• Fewer than 21,000 unique bank account numbers and sort codes
• Fewer than 28,000 obscured credit and debit card details (unencrypted, but with the middle 6 digits removed)
• Fewer than 15,000 customer dates of birth
• Fewer than 1.2 million customer email addresses, names and phone numbers

Although bank account numbers on their own can’t be used by cybercriminals for fraud, TalkTalk says, customer names, email addresses, birth dates and phone numbers can be used for a variety of scams and phishing attacks.

TalkTalk CEO Dido Harding made yet another statement, confirming that the scale of the attack was “much smaller” than initially thought, but:

… this does not take away from how seriously we take what has happened and our investigation is still on going. On behalf of everyone at TalkTalk, I would like to apologise to all our customers. We know that we need to work hard to earn back your trust and everyone here is committed to doing that.

We’ll have to assume that Harding hasn’t read Naked Security writer Mark Stockley’s tongue-in-cheek but dead accurate take on what companies sound like after a data breach.

If she had, she would have known that comments about just how “seriously” she takes a security breach of this magnitude only makes it sound like it wasn’t all that serious a consideration beforehand.

With her numerous public statements, Harding has given the appearance of  transparency, but she may only be muddying the waters with contradictory and even factually incorrect statements.

For example, Harding may have been correct in saying that TalkTalk was “not legally required” to encrypt customer data under the 1998 Data Protection Act, but she also stated that “we don’t store unencrypted data on our site,” according to a thorough tick-tock of the data breach compiled by The Register.

The UK Parliament is launching an inquiry into the breach, and will likely look into making data encryption compulsory for firms holding customer data, the BBC reported.

Encryption wouldn’t have helped keep TalkTalk customers’ data safe though if the attackers prized it out with a SQL injection attack (something Harding may have been suggesting when she incorrectly said that TalkTalk was the victim of a “sequential attack“.)

TalkTalk and Harding initially suggested that the website was knocked out by a denial-of-service attack but have yet to explain how that was that connected to the data breach.

Harding also got ahead of herself when she told the BBC that she had received a ransom demand for the stolen data.

After these public relations blunders, TalkTalk has clammed up about how the attack happened, saying in its FAQ that the “attack is the subject of a criminal investigation by the police so we can’t make any further comment.”

Speaking of which, TalkTalk released a statement from a Detective Superintendent Jayne Snelgrove of the Metropolitan Police Cyber Crime Unit, who said:

TalkTalk have done everything right in bringing this matter to our attention as soon as possible. Our success relies on businesses being open with us and each other about the threats they encounter.

Meanwhile, TalkTalk has only just begun (as of 30 October 2015) contacting those customers whose data was accessed.

Countless companies have had similar troubles after a data breach, and getting it right is obviously not easy.

But TalkTalk seems to have done little right apart from getting law enforcement involved and offering an apology – and it has a lot of work to do to earn back customers’ trust if it wants to hang on to them.

Follow @NakedSecurity
Follow @JohnZorabedian

Image of man screaming courtesy of Shutterstock.com.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/_UXdYN18X-s/

Forum owners and users beware!

The website of popular forum software maker vBulletin has been breached.

Following claims, nay, boasts, of an attack on Sunday evening, the software developer moved quickly to negate the effects of the hack by releasing a series of security patches on Monday, saying:

A security issue has been reported to us that affects the versions of vBulletin listed here: 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8 and 5.1.9 We have released security patches to account for this issue. It is recommended that all users update as soon as possible.

That was in response to a hacker going by the name of “Coldzer0” who bragged about his alleged exploits on various web forums, as well as social media. He also uploaded a Youtube video and posted data on Facebook, both of which have since been deleted.

Additionally, in a post co-authored with @Cyber_War_News, he also claimed to have compromised the forums for Foxit Software, using the exact same vulnerability. He says he obtained information from more than 260,000 of Foxit’s 537,000 user accounts, telling @Cyber_War_News that he thought it strange his hacking attempts were not detected.

All in, Coldzer0, is believed to have made off with personal data belonging to some 479,895 users from the two attacks.

According to databreaches.net, Coldzer0 swiped user ids, full names, email addresses, security questions and corresponding answers (both in plain text) and salted passwords.

While it is not yet clear how the hack took place, Coldzer0 claims he exploited a zero-day vulnerability affecting vBulletin.com, a possibility lent some credence by a report from the Register which offers up links to a couple of tweets which appear to confirm as much.

In addition to the security patches, vBulletin has also taken the additional step of enforcing a password change upon all of its users, using a post on its own forum to announce the global reset request:

We take your security and privacy very seriously. Very recently, our security team discovered a sophisticated attack on our network. Our investigation indicates that the attacker may have accessed customer IDs and encrypted passwords on our systems.

We have taken the precaution of resetting your account password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect your account.

If you think that message looks familiar, you’d be spot on – it’s almost a carbon copy of what Paul Ducklin described as “that verbiage trap” when covering a very similar breach at vBulletin in November 2013.

I won’t repeat what Paul wrote here but will add that the phrase “We take your security and privacy very seriously” really does ring quite hollow with customers when uttered immediately after a breach which, at the very least, offers the merest inkling that may not have actually been the case.

The password reset notice also ends in an identical fashion to the message put out in 2013, saying:

Please choose a new password and do not use the same password you used with us previously. We also highly recommend that you chose a password that you are not using on any other sites.

Again, as Paul wrote two years ago, that isn’t bad advice, but it could be better: reusing passwords is a bad idea. Period. Don’t do it. Ever.

Instead, vBulletin should cease “highly recommending” that its users employ a unique password on every site and instead demand it.

Just to make that clearer: if you are administering a site that uses vBulletin software, install the patch now.

Likewise, along with anyone who has ever signed up for the vBulletin or Foxit Software forums, change your password now and make it long, complex and unique, just as we explain in the following video:

→ Can’t view the video on this page? Watch directly from YouTube. Can’t hear the audio? Click on the Captions icon for closed captions.

Follow @Security_FAQs
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/71fUR4qxc-8/

Forum owners and users beware!

The website of popular forum software maker vBulletin has been breached.

Following claims, nay, boasts, of an attack on Sunday evening, the software developer moved quickly to negate the effects of the hack by releasing a series of security patches on Monday, saying:

A security issue has been reported to us that affects the versions of vBulletin listed here: 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8 and 5.1.9 We have released security patches to account for this issue. It is recommended that all users update as soon as possible.

That was in response to a hacker going by the name of “Coldzer0” who bragged about his alleged exploits on various web forums, as well as social media. He also uploaded a Youtube video and posted data on Facebook, both of which have since been deleted.

Additionally, in a post co-authored with @Cyber_War_News, he also claimed to have compromised the forums for Foxit Software, using the exact same vulnerability. He says he obtained information from more than 260,000 of Foxit’s 537,000 user accounts, telling @Cyber_War_News that he thought it strange his hacking attempts were not detected.

All in, Coldzer0, is believed to have made off with personal data belonging to some 479,895 users from the two attacks.

According to databreaches.net, Coldzer0 swiped user ids, full names, email addresses, security questions and corresponding answers (both in plain text) and salted passwords.

While it is not yet clear how the hack took place, Coldzer0 claims he exploited a zero-day vulnerability affecting vBulletin.com, a possibility lent some credence by a report from the Register which offers up links to a couple of tweets which appear to confirm as much.

In addition to the security patches, vBulletin has also taken the additional step of enforcing a password change upon all of its users, using a post on its own forum to announce the global reset request:

We take your security and privacy very seriously. Very recently, our security team discovered a sophisticated attack on our network. Our investigation indicates that the attacker may have accessed customer IDs and encrypted passwords on our systems.

We have taken the precaution of resetting your account password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect your account.

If you think that message looks familiar, you’d be spot on – it’s almost a carbon copy of what Paul Ducklin described as “that verbiage trap” when covering a very similar breach at vBulletin in November 2013.

I won’t repeat what Paul wrote here but will add that the phrase “We take your security and privacy very seriously” really does ring quite hollow with customers when uttered immediately after a breach which, at the very least, offers the merest inkling that may not have actually been the case.

The password reset notice also ends in an identical fashion to the message put out in 2013, saying:

Please choose a new password and do not use the same password you used with us previously. We also highly recommend that you chose a password that you are not using on any other sites.

Again, as Paul wrote two years ago, that isn’t bad advice, but it could be better: reusing passwords is a bad idea. Period. Don’t do it. Ever.

Instead, vBulletin should cease “highly recommending” that its users employ a unique password on every site and instead demand it.

Just to make that clearer: if you are administering a site that uses vBulletin software, install the patch now.

Likewise, along with anyone who has ever signed up for the vBulletin or Foxit Software forums, change your password now and make it long, complex and unique, just as we explain in the following video:

→ Can’t view the video on this page? Watch directly from YouTube. Can’t hear the audio? Click on the Captions icon for closed captions.

Follow @Security_FAQs
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/71fUR4qxc-8/

Sophos Security Chet Chat – Episode 220 – Nov 4, 2015

Join Sophos experts Chester Wisniewski and Paul Ducklin for the latest episode of our security podcast.

Listen to the week’s news in a way that’s fun, informative and educational – all in a tight, quarter-hour format.

LISTEN NOW

(Audio player above not working? Download MP3 or listen on Soundcloud.)

In this episode:

• [0’50”] The “Dance like no one’s watching” #sophospuzzle
• [1’56”] Cool T-shirts, socks and even surfboards at the Sophos Store
• [2’22”] A $1,000,000 hole in the iPhone?
• [4’43”] Data breach dilemma continues to stalk TalkTalk
• [6’28”] Should you do the Encryption Dance?
• [7’07”] No, no, no, 000Webhost!
• [10’03”] Yahoo’s “crypto witch” exploits the HSTS security feature
• [13’53”] The demotion of (ex-) Planet Pluto

Other podcasts you might like:

• Chet Chat 219 – It’s not CLOUD computing, it’s CLOWN computing!

• Chet Chat 218 – You make your PRIVATE key PUBLIC, right?

• Sophos Techknow – Malware on Linux – When Penguins Attack

• Sophos Techknow – Dealing with Ransomware

Get this and other Sophos podcasts:

Follow @NakedSecurity

Follow @duckblog

Lotsa dollars – image courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Sag__tNBCtE/