Mozilla Releases Security Updates for Firefox and Thunderbird

Original release date: December 02, 2014

The Mozilla Foundation has released security updates to address multiple vulnerabilities in Firefox and Thunderbird. Exploitation of these vulnerabilities may allow an attacker to obtain sensitive information, cause a denial of service, or exploit a buffer overflow on an affected browser.

Updates available include:

  • Firefox 34
  • Firefox ESR 31.3
  • Thunderbird 31.3

US-CERT encourages users and administrators to review Mozilla's Security Updates and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Sony Pictures hack gets uglier; North Korea won’t deny responsibility [Updated]

More evidence has emerged that makes the Sony Pictures hack look similar to a suspected attack on South Korean companies over a year ago. And a spokesperson for the North Korean government, rather than denying his country’s involvement, is playing coy as the damage to Sony appears to be growing daily.

When contacted by the BBC, a spokesperson for North Korea’s mission to the United Nations said, "The hostile forces are relating everything to [North Korea]. I kindly advise you to just wait and see."

Sony Pictures’ computers were reportedly the victim of wiper malware which erased all the data on infected PCs and the servers they were connected to. As Ars reported yesterday, this is similar to the attack on two South Korean broadcasters and a bank that was launched in 2013. As security reporter Brian Krebs reports, the FBI sent out a “Flash Alert” to law enforcement warning of a cyber attacker using “wiper” malware this week—malicious software that erases the entire contents of the infected machine’s hard drives as well as the contents of the master boot record of the computer. The FBI shared a Snort intrusion detection signature for the malware file, and as Krebs noted, "the language pack referenced by the malicious files is Korean."

Read 7 remaining paragraphs | Comments

Critical networks in US, 15 other nations, completely owned, possibly by Iran

For more than two years, pro-Iranian hackers have penetrated some of the world's most sensitive computer networks, including those operated by a US-based airline, auto maker, natural gas producer, defense contractor, and military installation, security researchers said.

In many cases, "Operation Cleaver," as the sustained hacking campaign is being dubbed, has attained the highest levels of system access of targets located in 16 countries total, according to a report published Tuesday by security firm Cylance. Compromised systems in the ongoing attacks include Active Directory domain controllers that store employee login credentials, servers running Microsoft Windows and Linux, routers, switches, and virtual private networks. With more than 50 victims that include airports, hospitals, telecommunications providers, chemical companies, and governments, the Iranian-backed hackers are reported to have extraordinary control over much of the world's critical infrastructure. Cylance researchers wrote:

Perhaps the most bone-chilling evidence we collected in this campaign was the targeting and compromise of transportation networks and systems such as airlines and airports in South Korea, Saudi Arabia and Pakistan. The level of access seemed ubiquitous: Active Directory domains were fully compromised, along with entire Cisco Edge switches, routers, and internal networking infrastructure. Fully compromised VPN credentials meant their entire remote access infrastructure and supply chain was under the control of the Cleaver team, allowing permanent persistence under compromised credentials. They achieved complete access to airport gates and their security control systems, potentially allowing them to spoof gate credentials. They gained access to PayPal and Go Daddy credentials allowing them to make fraudulent purchases and allow[ing] unfettered access to the victim’s domains. We were witnessed [sic] a shocking amount of access into the deepest parts of these companies and the airports in which they operate.

Tuesday's 86-page report relies on circumstantial evidence to arrive at the conclusion that the 20 or more hackers participating in Operation Cleaver are backed by Iran's government. Members take Persian handles such as Salman Ghazikhani and Bahman Mohebbi; they work from numerous Internet domains, IP addresses, and autonomous system numbers registered in Iran; and many of the custom-configured hacking tools they use issue warnings when their external IP addresses trace back to the Middle Eastern country. The infrastructure supporting the vast campaign is too sprawling to be the work of a lone individual or small group; it could only have been sponsored by a nation state.

Read 7 remaining paragraphs | Comments

New EU Guidelines on “Google Spain”: Right to be Forgotten

The Article 29 Working Party published new Guidelines on the Right to be Forgotten on 26 November 2014.  This is the latest chapter in the story which began with the Google Spain case.  In that case, the Court of Justice of the EU (CJEU) decided that EU data protection law already provides individuals with a right to have a relevant or outdated information about them de-listed from appearing in search results.

Here are the key points:

  • Aim of Guidelines:  To guide DPAs on how to implement the CJEU judgment in Google Spain.  The Guidelines also contain a list of common criteria which DPAs can apply in handling complaints, but the criteria should be seen as a “flexible working tool”.  No single criterion is determinative and the list is non-exhaustive!  So individual decisions and assessments will be very much “case-by-case”.
  • Search Engines:  The Guidelines confirm that search engines act as controllers (as per the Court ruling).  The “mischief” is that processing by a search engine could allow you to generate a detailed profile of an individual.  This probably means that individual publishers should be treated as lower risk.
  • Privacy takes Priority:  The rights of the individual, as a general rule, will prevail over commercial interests of the search engine and freedom of expression.  This is the most controversial aspect of the ruling.
  • People “in Public Life”:  DPAs will consider the role played by the data subject in public life.  They are less likely to be able to rely on the right to be forgotten.  Interestingly, people in public life could include politicians, senior public officials, business people and members of regulated professions.
  • Process:  Individuals should be able to exercise their rights using any adequate means (online procedures and electronic forums should not be mandatory).  This could cause practical difficulties in responding to the volume of requests.
  • Extra-territorial scope:  The CJEU ruling says that a non-EU company can be deemed to be “established” in the EU by virtue of its subsidiaries.  This could have much wider implications than intended.  Have another look at your group structure to ensure you are not caught.  For search engines, the .com domains will also have to comply, although DPAs will tend to focus on claims by EU citizens or residents.
  • The Search Engines have to de-list all source content?  No; they only need to de-list in relation to searches made by the name of the individual.
  • Can Search Engines tell users that content has been de-listed?  No; unless notices or statements are made in a consistent way (i.e. permanent general statements on search engines’ webpages).
  • Can Search Engines tell web publishers about proposed de-listing?  In general: No. Only exception will be the “particularly difficult cases” where it is necessary to get a fuller understanding of the circumstances to decide whether to de-list.  So if you publish content that is then de-listed, you won’t necessarily be told about the de-listing.

The Guidelines include a template set of criteria. Search engines are encouraged to publish their own de-listing criteria and make more detailed statistics available.

Optimistically, the Guidelines say that the decision as to whether de-list particular search results will, in essence, be “a routine assessment” as whether the processing of personal data complies with the data protection principles.  Needless to say, it is going to be a bit more complicated than that!