Cybersecurity Roundup: Encryption Nose-dives and Botnets Burn


This week in the SiliconANGLE cybersecurity round up, the government is tightening up  more and more recently to avoid encryption fiascos in the future. Apple and Microsoft, on the other hand, are putting up individual battles against malware.

The Federal Trade Commission has passed down its verdict on RockYou following the hacking cockup that had happened back in 2009 and decided to fine the game developer $250,000. The incident happened because RockYou failed to encrypt user data and stored them in plain text which got their flagship website on an unsmiling SQL injection flaw and had the information published online. The compromised data includes 32 million e-mail addresses and passwords. To make matters worse, 179,000 of the accounts hacked belonged to minors and this accounts for another violation of the Children’s Online Privacy Protection Act (COPPA).

Encryption is a fundamental part of cybersecurity and proprietary information. Getting hacked is ultimately going to happen–minimizing the impact of that attack via encryption is a best practice. Other conditions in FTC’s settlement requires RockYou to bar future deceptive claims regarding privacy and data security and future violations of the COPPA Rule, implement and maintain a data security program, submit to security audits by independent third-party auditors every other year for 20 years, delete information collected from children under age 13, and pay a $250,000 civil penalty.

In another account of cybersecurity breach, the Utah Department of Technology Services (DTS) server was hacked not too long ago which has prompted governor Gary Herbert to call for a comprehensive audit of all state technology security and data storage procedures. The breach compromised Medicaid patient information belonging to 800,000 individuals. Initial reports had it that there were only 24,000 affected individuals only to find out later on that there were actually 280,000 serious victims whose Social Security number were stolen and 580,000 others who had a number less sensitive information bared.

Next, the recently-captured LulzSec hacker pleads guilty to one count each of conspiracy and unauthorized impairment of protected computer in Federal Court for hacking Sony Pictures Entertainment. “I joined LulzSec, your honor, at which point we gained access to the Sony Pictures website,” Cody Kretsinger, 24, told judge in federal court., He operates under the name Recursion and admitted that he gave the information to other LulzSec members who posted them on the group’s website and on Twitter. He carried out the act with two other hackers Sabu (caught) and Topiary via SQL injections. The damaged caused Sony over $600,000 in damages.

Another thing that may irritate Anonymous a bit is Pastebin CEO Jeroen Vader employing more people to monitor the website for pastes containing sensitive information. He clarified, however, that Pastebin is not against Anonymous and that they are not going to tolerate exposing sensitive information and other similar act just to drive traffic and generate ad revenue. Anonymous is already encouraging its users to use PasteBay instead following the announcement of Pastebin deleting the hacker collective’s data on the site

Meanwhile, Apple finally releases a tool that removes Flashback Trojan from infected Macs after a parade of criticisms that have been going on for some time now. The said “Java security update” will disable Java applets by default for all browsers but only on machines running OS X Lion, the latest version. The user can re-enable this if necessary but it will be disabled again automatically if applet is not used in 35 days. Here are more thoughts about Flashback Trojan and Apple’s apparent slow response.

Microsoft also recently took down Zeus and SpyEye Trojan botnet with coordinated seizure of command-and-control servers in Scranton, Pennsylvania, and Lombard, Illinois. The infection had affected 13 million computer unit and 3 million of which are in the US. However, Dutch researchers accused Microsoft of hurting other procedures and investigation with the aggressive move. “Rather than truly injuring the Zeus botnet operations last month, Microsoft instead has hampered investigations into these operations by its actions last month of removing and confiscating two of the command-and-control (C&C) servers under a federal court order” said Netherlands-based Fox-IT principal security expert Michael Sandee.