Editor's News

A need for fully skilled, experienced professionals is causing headaches when hiring in information security.   Speaking to IT Security Guru, Christian Toon, head of information risk for Europe at Iron Mountain, said that a current recruitment drive has shown that there is a need for full skillsets and “a security all rounder”.   He said: “We do need someone with computer skills and defined ideas, but we need more. It is about being personable...

A security operations centre is to be opened by the UK Government for its public sector network (PSN) to be able to respond to threats.   In an email to IT Security Guru, a Cabinet Office spokesperson confirmed that rather than a continuous diagnostics and mitigation (CDM) system, which the US Department of Homeland Security has installed for US Government departments, this solution is being offered.   “We are not offering a centralised CDM system...

Google has said that it is not prepared to pay a bug bounty for a privacy flaw, despite needing to make a change in Calendar after it was reported.   In an email to IT Security Guru, Google said that it did not have any further comment to make on a recent blog after it initially reviewed the report made by Terence Eden. Eden said that the issue was formally disclosed to Google on 6th...

More than 20,000 records were leaked because of a SQL Injection attack. After it was revealed that Bell Canada had 22,421 user names and passwords, and five valid credit card numbers of affiliated small-business customers posted on the internet at the weekend, security researcher, Troy Hunt, said in a blog that it was “pretty self-evident from the original info leaked by the attackers that SQL injection had played a prominent role in the breach”. He...

An attempt to gain access to Yahoo Mail accounts was thwarted. In a statement, Yahoo senior vice president of platforms and personalisation products Jay Rossiter, said that it identified “a coordinated effort to gain unauthorized access to Yahoo Mail accounts” and upon discovery “took immediate action to protect our users, prompting them to reset passwords on impacted accounts”. Yahoo said that while there is no evidence that the passwords used to try and access the accounts...

The 2014 board of directors have been announced by (ISC)2..   The 13-member board will provide governance and oversight for the organisation, grant certifications to qualifying candidates and enforces adherence to the (ISC)² Code of Ethics.   The new chair is Wim Remes, who brings 15 years of security experience to the position. Remes is a managing consultant at IOActive and was previously a manager of information security for Ernst and Young. He is also...

Software code development service Github has introduced a bug bounty programme.   The service, which serves both commercial and open source projects, will offer bounties up to $5,000 and be paid dependant on risk and potential impact to its users.   Launching the programme, it said in a blog post: “For example, if you find a reflected XSS that is only possible in Opera, which is two per cent of our traffic, then the severity...

A critical vulnerability has been discovered in the MediaWiki project web platform, the operation behind Wikipedia. According to research, version 1.8 onwards was vulnerable to a remote code execution (RCE) flaw, which would allow an attacker to gain complete control of the vulnerable web server. The detection by Check Point, was made to the WikiMedia Foundation who have issued an update and patch to the MediaWiki software. Prior to the availability of a patch for...

The Presidential State of the Union address briefly mentioned the Prism, NSA and surveillance controversy.   President Barack Obama said in his annual address on Capitol Hill in Washington DC that he will reform “our surveillance programs – because the vital work of our intelligence community depends on public confidence” and that “we do these things because they help promote our long-term security”.   Obama used the address to talk boisterously about economic growth, overseas military action, the...

Windows malware that can infect an Android mobile is real, but requires USB debugging to be enabled.   Research by Symantec found that a Trojan named Trojan.Droidpak drops a malicious DLL that downloads a configuration file from a remote server which parses a configuration file in order to download a malicious APK to the compromised device, as well as download necessary tools such as Android Debug Bridge (ADB). The ADB is a legitimate tool and...