'That's a FUBAR train wreck waiting to happen'

Plus: 'It is fairly simple to stop HULK attacks'

Providing a secure and efficient Helpdesk

Quotw This was the week that was all about security - or the lack thereof.

LinkedIn, eHarmony and Last.fm all got hacked and had user passwords stolen. Millions of members from the business network and the dating site had their passwords published online, while users were also getting spammed, indicating emails may have been taken too.

LinkedIn came off the worst in the hacks, as its users' passwords were published in hashed form, when many security experts recommend salting as well as hashing for encrypting data.

One annoyed member told The Reg:

When you have an enforced connectivity regardless model pushed to the master revenue plan added to antiquated security systems and zip due diligence like LinkedIn – that's a FUBAR train wreck waiting to happen.

Both LinkedIn and eHarmony were also less than forthcoming about whether or not other information could have been stolen when the hackers were creeping about in their system. Despite the fact that members were reporting being inundated with spam and phishing emails, the sites were staying mum.

A spammed eHarmony user said:

Not surprisingly, eHarmony haven't answered my requests for more information.

Data breaches continue to be taken more and more seriously in the UK, as the Information Commissioner's Office handed out its biggest cash smackdown yet, to an NHS trust.

The Brighton and Sussex University Hospitals NHS Trust was fined £325,000 for leaving data on patients and staff on hard drives that ended up on eBay instead of being destroyed.

However, the Trust is ticked off with the size of the whopping penalty and disagrees that it was "reckless" in protecting data, which needs to be proved for the ICO to release the hounds.

The Trust said it was appealing the ruling, adding:

It is a matter of frank surprise that we still do not know why they have imposed such an extraordinary fine despite repeated attempts to find out, including a freedom of information request which they interestingly refused on the basis that it would 'prejudice the monetary penalty process'.

Meanwhile, a security researcher accidentally handed over big, green ammunition to the bad guys when he shared his new HULK attack tool on his blog.

The malware you wouldn't like when it's angry is a denial of service tool, but it's not distributed, it comes from one computer.

Neal Quinn, COO at DoS defence business Prolexic worried:

What makes HULK dangerous is the fact that a single malicious actor with a single computer could feasibly take down a small, unhardened web server in minutes.

But he didn't stay concerned for long as incredibly, HULK is not difficult to smash. Although the tool is difficult to spot in regular traffic, once you know about it, you can take down the HULK.

Fortunately, this is not a very complex DoS tool. It is fairly simple to stop HULK attacks and neutralise this vulnerability with the proper configuration settings and rules.

From one guy in his garage to nation states, whose online exploits were big in the news this week when it was reported that none other than US President Barack Obama had ordered the deployment of the Stuxnet virus to try to set back Iran's nuclear programme.

Now that what everyone already knew - that countries do indeed cyber-spy on each other - is public, it's time to figure out how the coding minds behind such viruses can declare their genius on their CVs.

Anton Chuvakin, a research director in Gartner's IT1 Security and Risk Management group said:

'Malware' … is now a legitimate occupation that you can put on your resume.

And suggested the upfront approach to CV updating:

2006-2007: Developed ‘attack software’ for XYZ government

Given that the coders in question probably had to sign one of those pesky NDAs though, perhaps the following from Peter Acheson of recruitment firm Peoplebank would be more suitable:

2009–11 – Department of Defence – Israel Project Director – Strategic Defence project. Worked on the development of strategic defence software for Department of Defence. Project had defence classification XYZ 123. Responsible for all aspects of overseeing development of the strategic software including management of 200 people.

But it wasn't all security this week, the tech world also saw Oracle not announcing new cloud offerings. The software giant had led everyone to believe that it would be "rounding out" its cloudy services, but instead it just kind of said more about what Oracle Cloud is and does.

Oh, and of course, the "announcement" gave CEO Larry Ellison the chance to diss some of his cloud rivals. First up for some caustic wit was nemesis SAP, which is expecting to have ERP software ready for the atmosphere in 2020.

Ellison quipped:

20/20, excellent vision. 20/20, a great news programme. 2020, a terrible time to get to the cloud.

And he also had a totally unveiled thrust at Workday as well for using a Flash-based UI and an object store instead of a relational database:

They have made some fundamental architectural decisions that are flat wrong, and I think calamitous.

And finally, the Motion Picture Ass. of America has said it won't stop legitimate users of Megaupload from getting their data back – as long as someone makes sure that data isn't pirated.

The judge has asked the Crown lawyer John Pike to start handing back data that isn't relevant to the trial, but he reckons there could be a problem there:

Police, to put it bluntly, would not have a clue what is relevant and what is not relevant. How could they? ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Are you a fat boy? Get to university NOW, you PENNILESS SLACKER
Rotund types paid nearly 20% less than people who didn't eat all the pies
Oz carrier Tiger Air takes terror alerts to new heights
Don't doodle, it might cost you your flight
Emma Watson should SHUT UP, all this abuse is HER OWN FAULT
... said an anon coward who we really wish hadn't posted on our website
Japan develops robot CHEERLEADERS which RIDE on BALLS
'Will put smiles on faces worldwide', predicts corporate PR chief
Bruges Booze tubes to pump LOVELY BEER underneath city
Belgian booze pumped from underground
Amazon: Wish in one hand, Twit in the other – see which one fills first
#AmazonWishList A year's supply of Arran scotch, ta
Let it go, Steve: Ballmer bans iPads from his LA Clippers b-ball team
Can you imagine the scene? 'Hey guys, it's your new owner – WTF is that on your desk?'
Oi, London thief. We KNOW what you're doing - our PRECRIME system warned us
Aye, shipmate, it be just like that Minority Report
prev story


Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.