'That's a FUBAR train wreck waiting to happen'

Plus: 'It is fairly simple to stop HULK attacks'

Top three mobile application threats

Quotw This was the week that was all about security - or the lack thereof.

LinkedIn, eHarmony and Last.fm all got hacked and had user passwords stolen. Millions of members from the business network and the dating site had their passwords published online, while users were also getting spammed, indicating emails may have been taken too.

LinkedIn came off the worst in the hacks, as its users' passwords were published in hashed form, when many security experts recommend salting as well as hashing for encrypting data.

One annoyed member told The Reg:

When you have an enforced connectivity regardless model pushed to the master revenue plan added to antiquated security systems and zip due diligence like LinkedIn – that's a FUBAR train wreck waiting to happen.

Both LinkedIn and eHarmony were also less than forthcoming about whether or not other information could have been stolen when the hackers were creeping about in their system. Despite the fact that members were reporting being inundated with spam and phishing emails, the sites were staying mum.

A spammed eHarmony user said:

Not surprisingly, eHarmony haven't answered my requests for more information.

Data breaches continue to be taken more and more seriously in the UK, as the Information Commissioner's Office handed out its biggest cash smackdown yet, to an NHS trust.

The Brighton and Sussex University Hospitals NHS Trust was fined £325,000 for leaving data on patients and staff on hard drives that ended up on eBay instead of being destroyed.

However, the Trust is ticked off with the size of the whopping penalty and disagrees that it was "reckless" in protecting data, which needs to be proved for the ICO to release the hounds.

The Trust said it was appealing the ruling, adding:

It is a matter of frank surprise that we still do not know why they have imposed such an extraordinary fine despite repeated attempts to find out, including a freedom of information request which they interestingly refused on the basis that it would 'prejudice the monetary penalty process'.

Meanwhile, a security researcher accidentally handed over big, green ammunition to the bad guys when he shared his new HULK attack tool on his blog.

The malware you wouldn't like when it's angry is a denial of service tool, but it's not distributed, it comes from one computer.

Neal Quinn, COO at DoS defence business Prolexic worried:

What makes HULK dangerous is the fact that a single malicious actor with a single computer could feasibly take down a small, unhardened web server in minutes.

But he didn't stay concerned for long as incredibly, HULK is not difficult to smash. Although the tool is difficult to spot in regular traffic, once you know about it, you can take down the HULK.

Fortunately, this is not a very complex DoS tool. It is fairly simple to stop HULK attacks and neutralise this vulnerability with the proper configuration settings and rules.

From one guy in his garage to nation states, whose online exploits were big in the news this week when it was reported that none other than US President Barack Obama had ordered the deployment of the Stuxnet virus to try to set back Iran's nuclear programme.

Now that what everyone already knew - that countries do indeed cyber-spy on each other - is public, it's time to figure out how the coding minds behind such viruses can declare their genius on their CVs.

Anton Chuvakin, a research director in Gartner's IT1 Security and Risk Management group said:

'Malware' … is now a legitimate occupation that you can put on your resume.

And suggested the upfront approach to CV updating:

2006-2007: Developed ‘attack software’ for XYZ government

Given that the coders in question probably had to sign one of those pesky NDAs though, perhaps the following from Peter Acheson of recruitment firm Peoplebank would be more suitable:

2009–11 – Department of Defence – Israel Project Director – Strategic Defence project. Worked on the development of strategic defence software for Department of Defence. Project had defence classification XYZ 123. Responsible for all aspects of overseeing development of the strategic software including management of 200 people.

But it wasn't all security this week, the tech world also saw Oracle not announcing new cloud offerings. The software giant had led everyone to believe that it would be "rounding out" its cloudy services, but instead it just kind of said more about what Oracle Cloud is and does.

Oh, and of course, the "announcement" gave CEO Larry Ellison the chance to diss some of his cloud rivals. First up for some caustic wit was nemesis SAP, which is expecting to have ERP software ready for the atmosphere in 2020.

Ellison quipped:

20/20, excellent vision. 20/20, a great news programme. 2020, a terrible time to get to the cloud.

And he also had a totally unveiled thrust at Workday as well for using a Flash-based UI and an object store instead of a relational database:

They have made some fundamental architectural decisions that are flat wrong, and I think calamitous.

And finally, the Motion Picture Ass. of America has said it won't stop legitimate users of Megaupload from getting their data back – as long as someone makes sure that data isn't pirated.

The judge has asked the Crown lawyer John Pike to start handing back data that isn't relevant to the trial, but he reckons there could be a problem there:

Police, to put it bluntly, would not have a clue what is relevant and what is not relevant. How could they? ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Spanish village called 'Kill the Jews' mulls rebranding exercise
Not exactly attractive to the Israeli tourist demographic
Oz bank in comedy Heartbleed blog FAIL
Bank: 'We are now safely patched.' Customers: 'You were using OpenSSL?'
Happy 40th Playmobil: Reg looks back at small, rude world of our favourite tiny toys
Little men straddle LOHAN, attend tiny G20 Summit... ah, sweet memories...
Forget the beach 'n' boardwalk, check out the Santa Cruz STEVE JOBS FOUNTAIN
Reg reader snaps shot of touching tribute to Apple icon
Lego is the TOOL OF SATAN, thunders Polish priest
New minifigs like Monster Fighters are turning kids to the dark side
Dark SITH LORD 'Darth Vader' joins battle to rule, er, Ukraine
Only I can 'make an empire out of a republic' intones presidential candidate
Chinese company counters pollution by importing fresh air
Citizens line up for bags of that sweet, sweet mountain air
Google asks April Fools: Want a job? Be our 'Pokemon Master'
Mountain View is prankin' like it's 1999...
prev story


SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.