In its most recent quarterly filing with the Securities and Exchange Commission (SEC), Ubiquity, Inc, a Silicon Valley networking equipment company, revealed that they had been the victim of a $46.7 million cyberheist. The swindle is an increasingly common one, known variously as CEO fraud, business email compromise (BEC) or man in the email (MITE) attacks, and it targets companies that make a lot of wire transfers, especially to overseas business partners.

On July 19th security blogger Brian Krebs broke a story on a security breach at adultery hookup site AshleyMadison.com. Actually AM is just the largest of three “adult” web properties owned by Avid Life Media (ALM), all having to do with hooking people up for sexual encounters. Credit was claimed by the “Impact Team” who have threatened to publish data on millions of users unless the Ashley Madison site is shut down. To date neither has happened, except for the identification of two hapless users, one in the US and one near Toronto (where ALM is based). While ALM’s websites remain online, their planned London IPO is said to be in trouble.

Vulnerability On Monday, Zimperium Inc, a maker of mobile security solutions, announced that their security researcher Joshua J Drake (@jduck), had discovered a serious vulnerability in the Stagefright library in Android that allows for arbitrary remote code execution, which could be triggered just by sending a MMS message. (Related coverage here, and here.) Stagefright is Android’s library for handling certain types of media files.

When it comes to data breaches, 2014 was a difficult year for the U.S. retail industry. The FBI warned of this a year ago in the wake of the Target and Neiman Marcus data breaches. The increasing concern in both the industry and government was justified, as we saw many high profile attacks. Beginning with Target, there were data breaches at at least 9 prominent national brands, over half of them linked to malware installed on Point of Sale (POS) terminals.

A new Ponemon Institute survey, sponsored by Varonis Systems (press release here) examined corporate internal data protection practices as seen by 1,166 IT practitioners and 1,110 end users in organizations ranging in size from dozens to tens of thousands of employees, in a variety of industries including financial services, public sector, health & pharmaceutical, retail, industrial, and technology and software.

Bruce Schneier has an interesting post about a new free and open Certificate Authority, called Let's Encrypt. Let's Encrypt is designed to let any web server administrator obtain a server certificate that is recognized by the major browsers at no charge and even more important automatically. Part of the Let's Encrypt model is automating the steps that can prove to the CA that the certificate request is coming from an entity that controls both the server and the domain.

Living without browser Java has been easy. The only thing I've used that wanted to use the browser plugin for Java was the download manager on a web site that also had direct SSL links. No biggie.

Paul Ducklin has an interesting piece on HTML 5. Although browsers have been building HTML 5 support into their browsers for a while, it officially became a standard as of October 28th. As the press release from the W3C Consortium states HTML5 brings to the Web video and audio tracks without needing plugins; programmatic access to a resolution-dependent bitmap canvas, which is useful for rendering graphs, game graphics, or other visual images on the fly; native support for scalable vector graphics (SVG) and math (MathML);

Let's start with a story. We recently were estimating the effort to fix up a client's audit findings, when I read "update web server configurations to upgrade SSL support from SSLv2 to SSLv3." To be fair to the auditor, the findings were probably reported before the vulnerability I will describe below (POODLE) was announced. However, SSLv3 was already viewed with suspicion, and had to be disabled if a system needed to be FIPS 140-2 compliant. While not every system needs that, it's indicative that SSLv3 is disallowed from the standard. (By the way the auditor was correct that SSLv2 needed to be disabled. In addition to its many weaknesses, SSLv2 is not compliant with either FIPS 140-2 or the PCI DSS.) Moral: the fact that one version of a protocol is bad doesn't make the next version acceptable. A recent announcement of a new vulnerability in SSLv3 (CVE-2014-3566) when using ciphers operating in cipher block chaining (CBC) mode. Because of how SSLv3 handles the block structure and padding out plain text to the block size, it is possible to construct attacks that manipulate padding to disclose plain text.

There is a lot of attention on the posting of Dropbox user name and password combinations on Pastebin. The posters claim that the 400 accounts posted are just the first installment of almost 7 million that they hold. Spot checking by security researchers indicate that they are genuine (although a follow dump as not). Dropbox has issued a statement their servers were not hacked: