Cyber security news roundup March 2016

Two new advisories from CERT-UK: the UK National Computer Emergency Response Team (CERT-UK) published two new advisories, the first on the GlibC vulnerability affecting Linux and the second on the DROWN vulnerability affecting HTTPS communications. The GlibC buffer-overflow vulnerability could potentially leave hundreds or thousands of apps and hardware devices vulnerable to attacks. CERT-UK advises that updates to fix this vulnerability are available and should be applied as soon as possible; also see media coverage from BBC News, Ars Technica and Network World. The DROWN vulnerability could be exploited to decrypt secure HTTPS communications; sites can be tested for this vulnerability using the DROWN attack test site and upgrades to OpenSSL are available. Again, see media coverage from BBC News, Computing and Ars Technica.

More on phishing: further to this previous post by John Chapman, Phishlabs published its 2016 Phishing Trends & Intelligence Report: Hacking the Human. Key findings include that phishing remains the top threat vector for cyberattacks; the study found a distinct increase in the percentage of phishing attacks targeting cloud storage and file hosting sites, webmail and online services and ecommerce sites. In 2013, cloud storage/file hosting services companies were targeted in less than 8% of all phishing attacks, but in 2015 these attacks accounted for nearly 20% of phishing attacks, correlating strongly with the increased use of these services. Janet network CSIRT member Mark Siddle mentioned some tools that can be used to raise awareness of phishing in his recent Digifest presentation.

IoD - Businesses need to “get real” about cyber security: the Institute of Directors (IoD) published Cyber Security: Underpinning the Digital Economy, a new report examining businesses’ attitudes towards and responses to cyber security issues and risks. The study found that many businesses’ cyber security strategies are lacking: whilst 9 in 10 (91%) business leaders said that cyber security was important, only around half (57%) had a formal strategy in place to protect themselves and just a fifth (20%) held insurance against an attack. Also see media coverage from Computing and this related speech by Cabinet Office Minister Matt Hancock, outlining the Government’s policies in support of cyber security.

Cyber security research news:

• In another speech by Cabinet Office Minister Matt Hancock, this time  on a trade mission to Israel,  he announced a new academic engagement between the UK and Israel in the emerging area of cyber-physical security: “Israeli experts will engage in joint research with UK academics in cyber-security. We will launch a competition to find the best ideas and people to work together to develop research focussed on what is another new frontier: protecting our cyber physical systems: like protecting industrial control systems, the internet of things and driverless cars.”
• The Centre for Secure Information Technologies (CSIT) at Queens University Belfast received a Queen’s Anniversary Prize. The Centre’s innovations include “novel technology to be integrated into Apps to improve security for online financial transactions; anti-counterfeit technology to prevent internet fraud; and new processors to deliver filtered internet to homes and businesses, stripping out viruses, malware and malicious content.”
• The University of Huddersfield announced an investment of £370,000 in a new multi-disciplinary crime research centre: The new Secure Societies Institute (SSI) will work in fields including forensic science, terrorism, cyber security, child sexual exploitation and ballistics.
• The Surrey Centre for Cyber Security at the University of Surrey and Singapore Management University have received 2-year funding from the Engineering and Physical Sciences Research Council (EPSRC) and Singapore’s National Research Foundation (NRF) in relation to proving that human behaviour related insecurities in cyber security can be detected automatically, by applying human cognitive models.