Vodafone 'hacking' of reporter's phone must be investigated, says Greens senator

A report published in The Guardian revealed that an Australian Greens senator Scott Ludlam has urged the Australian Federal Police and Australian Communications and Media Authority to investigate Vodafone over a serious privacy breach in which a journalist’s phone records were accessed.

According to the news report, Natalie O’Brien, Fairfax journalist, had her phone records leaked by a Vodafone employee in 2011, after she reported on a major data breach the company had suffered.
“The Office of the Australian Information Commissioner and Acma have both released statements acknowledging they have been made aware of the breach, but neither organisation has committed to an investigation,” the news report added.

As per the Telecommunications Act, no one either telecommunications provider or an employee, has authority to use or disclose information relating to the contents of phone records.

“It’s flat out a really interesting test of whether the laws that protect privacy in Australia are actually going to be upheld by the regulators,” Ludlam told Guardian Australia. There’s two issues. One will be whether the Acma’s directions were upheld. It’s not clear to me whether they were. Secondly, whether the federal police are intending to investigate the company for illegal access of phone records.

He said that while Vodafone was facing scrutiny for this particular breach, the case was an important illustration to put all companies on notice about their privacy obligations.

According to the news report, in December 2011, Acma gave formal directions to Vodafone that require it to take certain steps to improve its data practices. In the event the organisation were to investigate and find their directions had been breached, they could face heavy financial penalties.

In a statement released on Monday, acting information commissioner and privacy commissioner Timothy Pilgrim said the OAIC had been aware of “an allegation about inappropriate access to an individuals’ telephone records in May 2015.”

“The OAIC has been in contact with Vodafone to make inquiries about the allegation. The OAIC has also been liaising with the Australian Communications and Media Authority about these allegations, in accordance with the memorandum of understanding between the two agencies,” the statement read.
Acma released a statement and said it was aware of the allegations.

“The Acma has not previously investigated these allegations,” the spokesperson said.

Wassenaar Cybersecurity Rules – How India Must Respond

In December 2013, the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies (“Wassenaar Arrangement”) extended its reach to the cyber world. The extension seemed to signal a broad attack on export of many categories of cyber security software including commercially available penetration testing and network monitoring products, zero days and other computer exploits. Interestingly, these changes have emerged after media reports of U.S. government purchases of zero day computer exploits or vulnerabilities, i.e., security vulnerabilities previously unknown, by the US National Security Agency (NSA) for use by its hacking team.

Cyber security experts around the world and large companies like Google have raised a banner of revolt against the Wassennar changes and the U.S. Department of Commerce’s Bureau of Industry and Security (BIS)’s proposals for the implementation of the Wassenaar changes. They have expressed serious concerns about the impact of these changes on discovery of new vulnerabilities that could pose a threat to the internet globally.
If anything, the general impression is that Wassenaar Changes and its implementation by the signatory countries would actually make the internet more dangerous to users around the world. Google has been quoted as saying that the rules “are dangerously broad and vague and would have a significant, negative impact on the open security research community. They would also hamper our ability to defend ourselves, our users and make the Web safer. It would be a disastrous outcome if an export regulation intended to make people more secure resulted in billions of users across the globe becoming persistently less secure."
The fierce criticism and loud, public protest has had a temporary impact. The US Department of Commerce has now committed to drafting new rules to replace/amend the earlier draft.
It would be pertinent to note here that in response to the Wassenaar changes, VUPEN, a well known zero-day exploit firm (and also a supplier of exploits to the NSA), announced its decision to restrict exploit sales only to approved government agencies in approved countries
So what does all this mean for India? While the Wassenaar Arrangement might have worked in the physical world, will it work in the borderless cyber world? Will a country like Russia, a leading global supplier of cyber security software and tools implement rules to accommodate the Wassenaar changes, especially at a time when it is facing economic headwinds and under sanctions from the US and the EU? It does not seem to be in Russia’s interest at all, given its enormous strengths in the cyber security area and huge market for such products.
But India cannot afford to speculate on which way the wind will blow. The ongoing transformation of India into a Digital Economy implies the need for strong cyber security defences. Imagine a situation where a commercial or defence software is found to have vulnerabilities, whether accidental or deliberate, and the country lacks the tools to test for and mitigate such vulnerabilities? What if such vulnerabilities are discovered in software used in sectors such as Critical Infrastructure, Public Utilities, Financial Services, Health Information Systems? What if vulnerabilities are found in SCADA (industrial automation control systems) used by major industries and the energy sector?
Clearly, India needs to build its own cyber security defences and do it fast. Some expertise is available in the country, and needs to be complemented with global talent. 
The Government, leading software companies, defence companies and major users need to invest liberally in funding and supporting talented cyber security professionals. The Government should support some aggression in sourcing relevant tools, technology and talent from wherever required in the world. Israel’s export of cyber security software now exceeds that of physical weapons systems, and there’s a lesson for India here in the form of a Military/Industrial/Cyber Security Professionals complex to meet India’s needs.
As is known, India has faced serious problems in the past with respect to imports of critical technologies in the areas of defence, space and the nuclear sector. In the context of cyber security, we now have advance warning about problems that are around the corner. It makes no sense to run into a wall all over again and as such, a proactive and immediate national response is called for.
Prasanna J, Founder of Cyber Security and Privacy Foundation.

Mozilla patches severe vulnerabilities in its Bugzilla bug tracking system

Mozilla confirmed on September 4 that an attacker, stole its security-sensitive vulnerability information from its Bugzilla bug tracking system and then he got accessed to information about unpatched zero-day bugs.

However, Mozilla has now patched all the flaws that allowed the attacker to get the accessed. Similarly, the company concerned said that it would take its own security more seriously than before.

It is also said that the attacker used it to attack Firefox users, the maker of the open-source Firefox browser warned Friday.

“The attacker acquired the password of a privileged Bugzilla user, who had access to security­sensitive information. Information uncovered in our investigation suggests that the user re­used their Bugzilla password with another website, and the password was revealed through a data breach at that site,” Mozilla said in an FAQ on the breach.

The one bug that was exploited in the wild was used to collect private data from Firefox users who visited a Russian news site.

The attacker accessed approximately 185 bugs that were non-public. Among them, 53 were said to be severe vulnerabilities. Mozilla claims that 43 of the severe flaws had already been patched in the Firefox browser by the time the attacker accessed the bug information. That leaves 10 bugs that the attacker had access to before they were patched, and that's where the potential risk to Firefox users lies.

“The earliest confirmed instance of unauthorized access dates to September 2014. There are some indications that the attacker may have had access since September 2013,” the company said.

The company said that during its investigation it found out that the user re­used their Bugzilla password with another website, and the password was revealed through a data breach at that site.
Firefox security lead Richard Barnes detailed what Mozilla is now doing to improve Bugzilla's security.

"We are updating Bugzilla's security practices to reduce the risk of future attacks of this type," Barnes wrote. "As an immediate first step, all users with access to security-sensitive information have been required to change their passwords and use two-factor authentication."

Bug in the GitHub Extension for Visual Studio Makes Developer Lose $6,500

Carlo van Wyk, a South African web developer, said that he lost $6,500 (£4,250) in just a few hours because of a flaw in a tool for using Microsoft's Visual Studio IDE with code-sharing site GitHub inadvertently exposed his sensitive data.

He used the GitHub Extension for Visual Studio 2015 to commit one of his local Git code repositories to a private repository on GitHub. However, an unknown to him at the time the bug in the extension, developed and maintained by GitHub itself, caused his code to be committed to a public GitHub repository, rather than a private one as he intended.

Once he reported the bug, both of the concerned companies fixed it.

According to a report published in The Register, within around ten minutes after publishing his code, he received a notification from Amazon Web Services telling him his account had been compromised. He had included an AWS access key in the code that he had committed to GitHub.

Although, he immediately changed his AWS root password, revoked all of his access keys, and created new ones, within hours the crooks had managed to sign him up for AWS's Elastic Compute 
Cluster and fire off more than 20 instances in each EC2 region.

After that his AWS account had racked up a bill of $6,484.99.

AWS was not available for the comment, as per The Register. However, GitHub has apologized for the error in its code, regarded it as "inexcusable."

WordPress 4.3 automatically generates secure password

The WordPress has announced the release of new version 4.3, dubbed “Billie” in honor of jazz singer Billie Holiday, is available for download, with some changes in the password security system.

The new system of managing a password reset sends a password reset link that has 24-hour expiry window, and users will also receive e-mail notification if e-mail or password is changed.

In a blog post, WordPress developer Brian Krogsgard said that, “This is a relatively minor change to WordPress that will significantly enhance default user behavior for a big security win.”

For the new users to WordPress,  they have add a feature which will automatically generate a secure password for the user. It means that the users will have a strong password by default.  A password strength meter will help users to gauge on the strength of their password.

“Although WordPress isn't stopping you from choosing terrible passwords, the default in 4.3 is that you get secure passwords, and making them less secure takes a bit of work,” noted Mark Jaquith, a lead WordPress core developer.

Creepy Voice that you heard from Your Baby Monitor is not of a Ghost

Beware of the cameras connected to the Internet or the security cameras and monitoring as these systems can be easily hacked by the hackers. It camera hacking has become a serious issue now as of the potential for unauthorized people to make video recordings.

Ontario Provincial Police (OPP) issued a warning on Wednesday reminding people that these systems can be susceptible to hackers because many have an option to be used remotely enabled by default after a family from southwestern Ontario witnessed on July 7 a baby monitor watching their young child when it suddenly began playing music and a voice said they were being watched.

According to Liz Melvin, the OPP Const, the child was about to sleep in the nursery when the camera was remotely activated.  

“The camera played some eerie music and a voice could be heard indicating the parent and child were being watched,” Melvin told National Post. “Obviously it’s going to be disturbing.”

She said the family’s Internet service provider confirmed the router had been hacked and the source of the hack could be from anywhere in the world.

Although, such kid monitor hacking cases have been reported every month, Melvin said no other incidences have been reported and she wasn’t aware of any past investigations into this type of camera hacking in the area.

She said there are no suspects in the case and the investigation is ongoing.

In a bid to protect, people should use passwords to protect access to the Internet connection and access to monitoring systems. Similarly, buy cameras from trusted sources and cover them cameras when not in use.