Feeds

'That's a FUBAR train wreck waiting to happen'

Plus: 'It is fairly simple to stop HULK attacks'

Internet Security Threat Report 2014

Quotw This was the week that was all about security - or the lack thereof.

LinkedIn, eHarmony and Last.fm all got hacked and had user passwords stolen. Millions of members from the business network and the dating site had their passwords published online, while users were also getting spammed, indicating emails may have been taken too.

LinkedIn came off the worst in the hacks, as its users' passwords were published in hashed form, when many security experts recommend salting as well as hashing for encrypting data.

One annoyed member told The Reg:

When you have an enforced connectivity regardless model pushed to the master revenue plan added to antiquated security systems and zip due diligence like LinkedIn – that's a FUBAR train wreck waiting to happen.

Both LinkedIn and eHarmony were also less than forthcoming about whether or not other information could have been stolen when the hackers were creeping about in their system. Despite the fact that members were reporting being inundated with spam and phishing emails, the sites were staying mum.

A spammed eHarmony user said:

Not surprisingly, eHarmony haven't answered my requests for more information.

Data breaches continue to be taken more and more seriously in the UK, as the Information Commissioner's Office handed out its biggest cash smackdown yet, to an NHS trust.

The Brighton and Sussex University Hospitals NHS Trust was fined £325,000 for leaving data on patients and staff on hard drives that ended up on eBay instead of being destroyed.

However, the Trust is ticked off with the size of the whopping penalty and disagrees that it was "reckless" in protecting data, which needs to be proved for the ICO to release the hounds.

The Trust said it was appealing the ruling, adding:

It is a matter of frank surprise that we still do not know why they have imposed such an extraordinary fine despite repeated attempts to find out, including a freedom of information request which they interestingly refused on the basis that it would 'prejudice the monetary penalty process'.

Meanwhile, a security researcher accidentally handed over big, green ammunition to the bad guys when he shared his new HULK attack tool on his blog.

The malware you wouldn't like when it's angry is a denial of service tool, but it's not distributed, it comes from one computer.

Neal Quinn, COO at DoS defence business Prolexic worried:

What makes HULK dangerous is the fact that a single malicious actor with a single computer could feasibly take down a small, unhardened web server in minutes.

But he didn't stay concerned for long as incredibly, HULK is not difficult to smash. Although the tool is difficult to spot in regular traffic, once you know about it, you can take down the HULK.

Fortunately, this is not a very complex DoS tool. It is fairly simple to stop HULK attacks and neutralise this vulnerability with the proper configuration settings and rules.

From one guy in his garage to nation states, whose online exploits were big in the news this week when it was reported that none other than US President Barack Obama had ordered the deployment of the Stuxnet virus to try to set back Iran's nuclear programme.

Now that what everyone already knew - that countries do indeed cyber-spy on each other - is public, it's time to figure out how the coding minds behind such viruses can declare their genius on their CVs.

Anton Chuvakin, a research director in Gartner's IT1 Security and Risk Management group said:

'Malware' … is now a legitimate occupation that you can put on your resume.

And suggested the upfront approach to CV updating:

2006-2007: Developed ‘attack software’ for XYZ government

Given that the coders in question probably had to sign one of those pesky NDAs though, perhaps the following from Peter Acheson of recruitment firm Peoplebank would be more suitable:

2009–11 – Department of Defence – Israel Project Director – Strategic Defence project. Worked on the development of strategic defence software for Department of Defence. Project had defence classification XYZ 123. Responsible for all aspects of overseeing development of the strategic software including management of 200 people.

But it wasn't all security this week, the tech world also saw Oracle not announcing new cloud offerings. The software giant had led everyone to believe that it would be "rounding out" its cloudy services, but instead it just kind of said more about what Oracle Cloud is and does.

Oh, and of course, the "announcement" gave CEO Larry Ellison the chance to diss some of his cloud rivals. First up for some caustic wit was nemesis SAP, which is expecting to have ERP software ready for the atmosphere in 2020.

Ellison quipped:

20/20, excellent vision. 20/20, a great news programme. 2020, a terrible time to get to the cloud.

And he also had a totally unveiled thrust at Workday as well for using a Flash-based UI and an object store instead of a relational database:

They have made some fundamental architectural decisions that are flat wrong, and I think calamitous.

And finally, the Motion Picture Ass. of America has said it won't stop legitimate users of Megaupload from getting their data back – as long as someone makes sure that data isn't pirated.

The judge has asked the Crown lawyer John Pike to start handing back data that isn't relevant to the trial, but he reckons there could be a problem there:

Police, to put it bluntly, would not have a clue what is relevant and what is not relevant. How could they? ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Swiss wildlife park serves up furry residents to visitors
'It's ecological' says spokesman, now how would you like your Bambi done?
Win a year’s supply of chocolate (no tech knowledge required)
Over £200 worth of the good stuff up for grabs
Facebook's Zuckerberg in EBOLA VIRUS FIGHT: Billionaire battles bug
US Centers for Disease Control and Prevention contacted as site supremo coughs up
Internet finally ready to replace answering machine cassette tape
It's a simple message and I'm leaving out the whistles and bells
ePassport to Transnistria: NEXTIFYING the Nation State with BONG
Hey the Man, you can't geoblock distributed democracy
Red Bull does NOT give you wings, $13.5m lawsuit says so
Website letting consumers claim $10 cash back crashes after stampede
Down-under record: Australian gets $140k for pussy
'Tiffany' closes deal - 'it's more common to offer your wife', says agent
Trolls have DARK TETRAD of personality defects, say trickcyclists
Think psychopathy and BDSM dungeons, not desktops
The iPAD launch BEFORE it happened: SPECULATIVE GUFF ahead of actual event
Nerve-shattering run-up to the pre-planned known event
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.