In this week’s podcast, we consider the DROWN vulnerability, the apparent resurrection of Hacking Team, and new CPS guidelines for prosecuting trolls
Hello and welcome to the IT Governance podcast. Here are this week’s stories:
First, brace yourself for acronyms and initialisms aplenty. Academic researchers have identified a “serious vulnerability” affecting 33% of all HTTPS servers – apparently including household names such as yahoo.com, buzzfeed.com, and flickr.com – which could be exploited to facilitate man-in-the-middle attacks. DROWN (which just about stands for Decrypting RSA using Obsolete Weakened eNcryption) enables attackers to decrypt secure communications from servers that support the SSLv2 protocol – that’s Secure Sockets Layer version 2, the 1990s cryptographic library now widely denigrated by, among others, the Payment Card Industry Security Standards Council. “But no one uses SSLv2 for that very reason,” I can almost hear you saying. “We use TLS!” Maybe… but if your servers support SSLv2, which many are still configured to do even if they don’t actually use it, you could still be vulnerable to attack. More details – including how to disable SSLv2 – can be found on drownattack.com.
Last July, Hacking Team, a controversial Italian cyber security company that provided surveillance software to law enforcement agencies and governments around the world – including some oppressive regimes – was itself hacked. Among the material leaked by the perpetrators were a number of zero-day vulnerabilities that Hacking Team was exploiting on behalf of its customers. Now, a new version of Hacking Team’s remote control spyware affecting Apple’s OS X has been uncovered. The good news, as Graham Cluley explains on intego.com, is that “unless you are using a computer which is of interest to a government or intelligence agency, chances are that you will not have much to fear”. Nevertheless, you should make sure your Mac antivirus defences are up to date. It’s not yet known whether this is actually the work of Hacking Team or a third party using Hacking Team’s code to create their own malware.
Some good news for online safety: updated guidelines issued by the Crown Prosecution Service this week propose that Internet trolls who use fake online profiles to harass others should be prosecuted. The CPS guidelines advise prosecutors that charges can be pressed under existing laws if online activity results in credible threats of violence; when individuals are specifically targeted by communications that may constitute harassment or stalking, controlling or coercive behaviour, revenge pornography, blackmail or another offence; cases resulting in breaches of a court order. Director of public prosecutions Alison Saunders said, “Worryingly, we have seen an increase in the use of cyber-enabled crime in cases related to violence against women and girls, including domestic abuse.” A six-week consultation period on the proposals has been launched.
And that’s it for this week. Until next time, remember that you can keep up to date with the latest information security news on our blog. And whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.