'That's a FUBAR train wreck waiting to happen'

Plus: 'It is fairly simple to stop HULK attacks'

Security for virtualized datacentres

Quotw This was the week that was all about security - or the lack thereof.

LinkedIn, eHarmony and Last.fm all got hacked and had user passwords stolen. Millions of members from the business network and the dating site had their passwords published online, while users were also getting spammed, indicating emails may have been taken too.

LinkedIn came off the worst in the hacks, as its users' passwords were published in hashed form, when many security experts recommend salting as well as hashing for encrypting data.

One annoyed member told The Reg:

When you have an enforced connectivity regardless model pushed to the master revenue plan added to antiquated security systems and zip due diligence like LinkedIn – that's a FUBAR train wreck waiting to happen.

Both LinkedIn and eHarmony were also less than forthcoming about whether or not other information could have been stolen when the hackers were creeping about in their system. Despite the fact that members were reporting being inundated with spam and phishing emails, the sites were staying mum.

A spammed eHarmony user said:

Not surprisingly, eHarmony haven't answered my requests for more information.

Data breaches continue to be taken more and more seriously in the UK, as the Information Commissioner's Office handed out its biggest cash smackdown yet, to an NHS trust.

The Brighton and Sussex University Hospitals NHS Trust was fined £325,000 for leaving data on patients and staff on hard drives that ended up on eBay instead of being destroyed.

However, the Trust is ticked off with the size of the whopping penalty and disagrees that it was "reckless" in protecting data, which needs to be proved for the ICO to release the hounds.

The Trust said it was appealing the ruling, adding:

It is a matter of frank surprise that we still do not know why they have imposed such an extraordinary fine despite repeated attempts to find out, including a freedom of information request which they interestingly refused on the basis that it would 'prejudice the monetary penalty process'.

Meanwhile, a security researcher accidentally handed over big, green ammunition to the bad guys when he shared his new HULK attack tool on his blog.

The malware you wouldn't like when it's angry is a denial of service tool, but it's not distributed, it comes from one computer.

Neal Quinn, COO at DoS defence business Prolexic worried:

What makes HULK dangerous is the fact that a single malicious actor with a single computer could feasibly take down a small, unhardened web server in minutes.

But he didn't stay concerned for long as incredibly, HULK is not difficult to smash. Although the tool is difficult to spot in regular traffic, once you know about it, you can take down the HULK.

Fortunately, this is not a very complex DoS tool. It is fairly simple to stop HULK attacks and neutralise this vulnerability with the proper configuration settings and rules.

From one guy in his garage to nation states, whose online exploits were big in the news this week when it was reported that none other than US President Barack Obama had ordered the deployment of the Stuxnet virus to try to set back Iran's nuclear programme.

Now that what everyone already knew - that countries do indeed cyber-spy on each other - is public, it's time to figure out how the coding minds behind such viruses can declare their genius on their CVs.

Anton Chuvakin, a research director in Gartner's IT1 Security and Risk Management group said:

'Malware' … is now a legitimate occupation that you can put on your resume.

And suggested the upfront approach to CV updating:

2006-2007: Developed ‘attack software’ for XYZ government

Given that the coders in question probably had to sign one of those pesky NDAs though, perhaps the following from Peter Acheson of recruitment firm Peoplebank would be more suitable:

2009–11 – Department of Defence – Israel Project Director – Strategic Defence project. Worked on the development of strategic defence software for Department of Defence. Project had defence classification XYZ 123. Responsible for all aspects of overseeing development of the strategic software including management of 200 people.

But it wasn't all security this week, the tech world also saw Oracle not announcing new cloud offerings. The software giant had led everyone to believe that it would be "rounding out" its cloudy services, but instead it just kind of said more about what Oracle Cloud is and does.

Oh, and of course, the "announcement" gave CEO Larry Ellison the chance to diss some of his cloud rivals. First up for some caustic wit was nemesis SAP, which is expecting to have ERP software ready for the atmosphere in 2020.

Ellison quipped:

20/20, excellent vision. 20/20, a great news programme. 2020, a terrible time to get to the cloud.

And he also had a totally unveiled thrust at Workday as well for using a Flash-based UI and an object store instead of a relational database:

They have made some fundamental architectural decisions that are flat wrong, and I think calamitous.

And finally, the Motion Picture Ass. of America has said it won't stop legitimate users of Megaupload from getting their data back – as long as someone makes sure that data isn't pirated.

The judge has asked the Crown lawyer John Pike to start handing back data that isn't relevant to the trial, but he reckons there could be a problem there:

Police, to put it bluntly, would not have a clue what is relevant and what is not relevant. How could they? ®

Beginner's guide to SSL certificates

More from The Register

next story
Boffins who stare at goats: I do believe they’re SHRINKING
Alpine chamois being squashed by global warming
Facebook's Zuckerberg in EBOLA VIRUS FIGHT: Billionaire battles bug
US Centers for Disease Control and Prevention contacted as site supremo coughs up
Space exploration is just so lame. NEW APPS are mankind's future
We feel obliged to point out the headline statement is total, utter cobblers
Down-under record: Australian gets $140k for pussy
'Tiffany' closes deal - 'it's more common to offer your wife', says agent
Internet finally ready to replace answering machine cassette tape
It's a simple message and I'm leaving out the whistles and bells
FedEx helps deliver THOUSANDS of spam messages DIRECT to its Blighty customers
Don't worry Wilson, I'll do all the paddling. You just hang on
The iPAD launch BEFORE it happened: SPECULATIVE GUFF ahead of actual event
Nerve-shattering run-up to the pre-planned known event
Win a year’s supply of chocolate (no tech knowledge required)
Over £200 worth of the good stuff up for grabs
STONER SHEEP get the MUNCHIES after feasting on £4k worth of cannabis plants
Baaaaaa! Fanny's Farm's woolly flock is high, maaaaaan
Adorkable overshare of words like photobomb in this year's dictionaries
And hipsters are finally defined as self-loathing. Sort of
prev story


Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.