Malware, iOS, EU Data Protection, Cyber Security Bills: it’s been another period for IT security

By the end of 2015 governments on both sides of the Atlantic were pushing for more extensive electronic surveillance powers and tighter controls in data protection.

iGaming Business Technical Editor Justin Bellinger picks up on the most interesting and controversial elements of proposed legislation, also rounding up the latest software, network, DDoS and malware and patches.

Software
Linux, it has emerged, can be taken down with just one key. A bug in the Grub2 bootloader leaves it open to a very strange hack – pressing backspace 28 times on system start-up will produce access to a rescue shell allowing the hacker to bypass installed security measures. The Grub2 bootloader is used by most Linux distributions, including many embedded systems. Hector Marco and Ismael Ripoll from the University of Valencia discovered the flaw and reported it to the industry, who quickly responded. Although physical access to the machine is required, swift patching is recommended. All major distributions have released a patch for this unusual bug.

Microsoft has issued a number of critical updates to its product suite, with MS15-124 through to MS15-131 all classed as critical updates. The updates fix issues from Remote Code Execution problems with many of Microsoft’s products through to a cumulative update for Internet Explorer (which also addresses the remote code execution problem in this software). It is essential to apply these updates as soon as possible as the nature of the problems will allow remote, unauthorised users the ability to compromise machines that have not been patched.

Apple provided us with another update for OS X 10.11, El Capitan. Release 10.11.2 addresses some 54 security flaws in the operating system. In typical Apple style, they have been tight-lipped over the exact nature of the vulnerabilities that have been patched with this release, preferring to follow the route of ‘security by obscurity’ rather than the more open nature of many other companies. There have been reports however that patches to holes allowing remote code execution in the OS X Kernel, CoreGraphics, and OpenGL are amongst the security update. As well as the above, updates for TV OS and releasing Watch OS 2, Apple gave us iOS 9.2. iOS 9.2 provides a fix to some 50 issues, including a loophole in WebKit and OpenGL that could allow arbitrary code execution following a visit to a maliciously crafted website.

MacKeeper owner Kromtech suffered a breach, briefly disclosing user data totalling some 13 million records. Researcher Chris Vickery stumbled across the open database whilst using the search engine Shodan.io. After unsuccessfully trying to contact Kromtech, Vickery resorted to a plea on Reddit to try and get the attention of the company. The open database has been secured but users of MacKeeper are advised to change their passwords and if they have used the same password on multiple sites, to change those too.

Joomla – if you use this popular open source CRM please be aware that there are updates fixing a zero-day exploit that was discovered by security company Sucuri on 12 December. Joomla issued a patch two days later but not before hackers had exploited the flaw in the software, allowing for full remote command execution via HTTP. If you haven’t patched already (you will have been prompted to), do so right away. To find out if your machine has been compromised Sucuri tell us that users can check by searching the logs for “JDatabaseDriverMysqli” or “O:” in the User Agent.

Network and hardware
Juniper on 17 December issued an emergency update to ScreenOS, the OS used by NetScreen appliances. The company found code that not only opens the devices up to remote administrative access over SSH or telnet but also allows for decryption of VPN traffic passing through the device. NetScreen appliances are high-end devices and will be used by only the largest igaming companies as well as some telcos and data centre providers.

The unauthorised code has been present in ScreenOS releases from 2012 right through to the latest release prior to the freshly released update. Juniper is investigating the incident but has not commented on the origin of the code. Re-read this segment once you have read the Cyber Security Bill section at the end of this article. I’ll leave you to draw your own conclusions as to what forces may have been at play when this code was introduced into ScreenOS.

Cisco
Prime Collaboration Assurance software was found to contain a system account with a default and static password. PCA is a management tool for Cisco’s unified communications suite of products, so worth checking for the workaround for CVE-2015-6389 if you use Cisco telephony products in your organisation.

DDoS
Apart from hearing the unsurprising news from Akamai that our industry is the most likely sector to be a target for DDoS attacks (others tell us that financial services is the one feeling the most heat at present, we are at that time of year where should have already battened down the hatches for the seasonal attacks. Save a thought for the Sony PSN and Microsoft’s Xbox Live though, who were both threatened with a large DDoS attack on Christmas Day.

Malware
Android users of banking apps need to be wary of a couple of bits of malware doing the rounds, Zbot and Marcher. Although Marcher has been out for nearly two years it’s not going away, with increased focus on geographic regions. Australia appears in its sights at the moment.

The victim receives an MMS message with a link embedded to install Adobe Flash Player. If the user clicks the link they are redirected to a site that downloads the Marcher code. Marcher then substitutes the entry fields on many popular banking apps, subverting the users’ credentials to the attacker as they type them in. Zbot on the other hand appears to be mainly targeting Russian victims.

The malware again detects when a banking app has been opened on the victim's device and overlays a phishing screen to collect the victims information. Zbot is a variant of Zeus and is contracted through downloading malicious apps from a fake Google Play Store app, and can be easily avoided by only downloading apps from the authentic Play Store.

Santa app
For those of you who feel the need to never be parted from the scriptures of the Bible there is some cautionary news. Proofpoint analysed some 5,600 Bible apps, of which 208 contained malicious code. Interestingly the company also tested card game apps, 23,000 of them, the surprising news is that only 52 of these were found to contain malicious code.

iOS
Since our report on YiSpecter and XcodeGhost in the last issue there have been no further reports of malware on Apple’s phone or tablet OS. However, as mentioned in the first section, iOS9.2 has been released and contains patches for 50 reported issues, so wise to update sooner rather than later.

Microsoft
If you who have been in the IT sector long enough you may remember the Melissa virus of the 90s. This wreaked havoc, rapidly spreading by infecting a machine and emailing itself on to other victims, 50 addresses from hosts' address books would be emailed an infected document, sent with the subject: “Here is that document you asked for…”. Melissa was a macro virus relying on the victim opening the infected MS Office file seemingly sent to them from someone they trust. Thanks to a host of tools and kits on underground sites the macro virus is having somewhat of a resurgence, the number in the wild spiking during 2015.

Once again the only real way of protecting against this type of virus is through user vigilance; patching should be maintained, Office macro setting should be set to ‘high’ and the user should be educated on email security, i.e. don’t open a file you are not expecting.

Linux
Users should look out for a new trojan doing the rounds. Rekoobe, reported to us by Russian security firm Dr.Web, is difficult to detect. The encrypted package allows a command and control server to upload and download files to the infected host so could well be used as a conduit for further compromises of the target machine. There are rumours that the Trojan has been ported to Mac OS X, Windows and Android.
In the news

EU Data Protection
Following on from our report on Safe Harbor the EU have been busy finessing the latest cut of a harmonised EU data protection legislation. The new legislation will replace the current arrangement, which has been in place since 1995. The legislation, informally agreed on 16 December, will apply uniformity across the currently disparate member state rules. The rules are all encompassing, aiming to provide surety to users in the digital economy, fostering trust between users and suppliers of these services.

According to a European Parliament press release the new rules include provisions on:

• Clear and affirmative consent to the processing of private data by the person concerned, so as to give consumers more control over their private data. This could for example mean ticking a box when visiting an Internet website or by another statement or action clearly indicating acceptance of the proposed processing of the personal data. Silence, pre-ticked boxes or inactivity will thus not constitute consent. It should also be as easy for a consumer to withdraw consent as to give it.
• Children on social media – those below a certain age will need to get their parents' permission (“parental consent”) to open an account on social media such as Facebook, Instagram or Snapchat, as is already the case in most EU countries today. The new, flexible rules ensure that member states can set their own limits, provided these are between the 13th and 16th birthdays, thus giving them the freedom to maintain those they already apply. This flexibility was included at the pressing request of member states. Parliament’s negotiators would have preferred an EU-wide age limit of 13 years.
• Right to be forgotten – consumers will thus have the “right to be forgotten” or erased from the databases of companies holding their personal data, provided there are no legitimate grounds for retaining it.
• The right to know when your data has been hacked – companies and organisations will be required to notify the national supervisory authority of serious data breaches as soon as possible so that users can take appropriate measures,
• Plain language – MEPs insisted the new rules must put an end to “small print” privacy policies. Information should be given in clear language before the data is collected,
• Fines of up to 4% of firms' total worldwide annual turnover should constitute a real deterrent to breaking the rules,
• Firms will have to appoint a data protection officer if they are handling significant amounts of sensitive data or monitoring the behaviour of many consumers. Firms whose core business activity is not data processing will be exempt from this obligation so as to avoid red tape.
• One-stop-shop for complaints and enforcement – national Data Protection Authorities (DPAs) will be enhanced to become a first instance body where citizens can complain about data breaches. Cooperation among the DPAs will also be significantly strengthened to ensure consistency and oversight.

There are some very important areas for businesses to thoroughly understand, the most significant being a potential fine for a breach of data protection rules of up to 4% of global turnover, far higher than current fines.

To put this into context, in 2013 Sony was fined just £250,000 for the 2011 data protection breach on its PlayStation Network, if this law was in effect then, when Sony’s annual turnover was in the region of £39bn, the fine could have totalled £1.56b!

The new rules are expected to be ratified in March or April 2016 and Member States will be expected to implement the new legislation within a two year period. 

Cyber Security Bills
The ‘Snooper’s Charter’ rears its head on both sides of the pond. The UK Government has published a draft Investigatory Powers Bill, due to be debated by Parliament early in 2016. The draft bill requires every ISP and phone company in the UK to store and make available records of all websites visited by every citizen for a period of 12 months.

As well as this mass harvesting of data, ISPs are expected to assist security services in bypassing encryption on their customer’s devices. Some controls have been added by the addition of a “double lock” system giving a panel of judicial commissioners the power of veto on an intercept request, but there is an exemption to this control for urgent cases.

Naturally both the ISPs and privacy campaigners are up in arms about the proposed changes. The ISPs have raised concerns over the practicality and cost of implementing the new measures. The privacy body has used phrases such as “now the government will also be able to know what you are thinking as well as what you are doing”.

Meanwhile across the pond, reminding us of that day in 2006 when UIGEA was tacked on to the end of the SAFE Port Act, the US has chosen to bury a controversial surveillance bill deep in an omnibus spending bill crucial to avoiding the shutdown of government.

The bill makes sharing user information easier between the private sector and the government and indeed between the companies themselves, something that appears to be directly at odds with the efforts of the EU on privacy.

The bill also removes the Department of Homeland Security as the middle man between the private sector and the NSA, allowing for information to be shared directly with the NSA.

Previously the US government was restricted in the extent of its electronic surveillance powers, only being able to use the information collected for cyber security purposes. This new bill allows for the wholesale sharing of this harvested information for any purposes that it chooses.

This news comes hot on the heels of an increased push by the US government to force companies providing encrypted messaging services, like Apple’s iMessage, WhatsApp etc., to be in a position to provide the government with decrypted copies of the messages transitioning its servers.

So, once again an eventful couple of months. Please do ensure that you take the time to check in with your sys admins if your company uses any of the software or systems mentioned above, and do look out for your personal security if you use any of the devices, apps or code mentioned in the round-up.

Also keep a look out for government bills in the offing that may affect your business or your own personal security.