How Much Is Corporate Data Worth (Part 2)? About $8,000 Say Employees

Well I guess that’s an improvement vs Monday’s article – based upon a survey conducted by Fujitsu – that concluded the answer was ‘not a lot‘.

Research from Clearswift, published today, puts an altogether different, much rounder, but still undoubtedly disappointing figure on the value of corporate data, as perceived by a number of employees.

In a poll encompassing more than 500 internet technology decision makers and 4,000 employees across Australia, Europe and the US, Clearswift discovered that a quarter of employees would risk their jobs and jail time if someone offered them $8,000 (about £5k) or more in return for company secrets.

If that doesn’t sound good, get this: three percent of those surveyed said they’d give up corporate data for as little as $155 (less than £100).

Just over a third (35%) were open to the possibility of bribery but put a much higher price on their cooperation: $77,500.

Fortunately, the survey did discover that 65% of its sample list were apparently honest, saying they wouldn’t give up company data at any price. Wahay!

Clearswift’s Chief Executive Officer, Heath Davies, had this to say:

While people are generally taking security more seriously there is still a significant group of people who are willing to profit from selling something that doesn’t belong to them.

This information can be worth millions of dollars.

A case in point of the true value of data is the recent Ashley Madison hack, where user data was accessed by a member of their extended enterprise (part of their technical services team) according to the site’s CEO; the effects of which have been monumental. The site announced earlier this year that it hoped to raise $200 million in an initial public offering this year and it may have lost out on this opportunity reducing the value of its entire business. This attack has also had a ripple effect on its sister sites. It is important for companies to understand the risk and address it appropriately – this research can help them do that.

One of the key problems, Clearswift says, is the ease with which potentially unscrupulous employees can get their grubby little mits on valuable data in the first place – 61% of the respondents said they had access to private customer data, 51% could access financial data, and 49% had access to sensitive product information and other critical business data.

Perhaps such figures should prompt some hard thinking among the organisations represented within the survey, huh?

Much like the findings I wrote about on Monday, the gist of Clearswift’s survey surrounds attitudes toward data and security – only 29% of employees felt that company data was their responsibility and 22% were quite adamant that it wasn’t something they should concern themselves about at all, prompting Davies to say:

It is not good business to live in fear of your employees, especially since most can be trusted.

Getting the balance right has always been hard. But truly understanding where the problems come from, combined with advances in technology which can adapt to respond differently to different threats, really changes the game here.

I personally agree that most employees can be trusted (sure, many are opportunist stealers of pens and staples, but not data, at least not in my opinion), but I also believe that trust is largely irrelevant in this situation, the issue lies somewhere else – in security awareness and training.

So the question is, what are you doing to ensure that your staff do place a high value on your corporate data? Are you involving them in the business enough and giving them some education and direction, or are you continuing to grant access to too much data to too many people who aren’t really bothered about keeping it to themselves?

How Much Is Corporate Data Worth? Not Much Say Employees

Oh dear, this isn’t good.

Confirmation, if any was needed, that employees don’t always have a company’s best interests at heart comes in the form of new research from IT company Fujitsu which has determined that personal data is of far greater concern to the majority of staff.

While the fact that only 7% of the staff involved in the research project thought business data was more valuable than their own is worrying enough, it may perhaps be even more telling that just under half (43%) had no idea what value to place on corporate data in the first place.

Bizarrely – unless this is a reflection of poor security within the organisations encompassed by the research – 89% of the respondents said they felt their own personal email systems were more secure than the ones at their place of work. Either way you choose to look at that statistic, it has to be worrying doesn’t it?

Commenting on the research, Andy Herrington, Head of Cyber Professional Services at Fujitsu, said:

With 1 in 3 (30%) employees agreeing that they worry more about losing personal data than business data organizations have a challenge on their hands.

Herrington, quite rightly in my opinion, argues that education is key:

While there is no quick fix in changing these perceptions the process needs to start with the people. Educating employees about the value of and how to protect their own personal data is a great starting point and businesses will see this data safeguarding attitude trickle through the business, helping employees become part of the threat defense.

The research also throws up some interesting figures about identity theft, suggesting that while more than half (58%) of employees understand the risks surrounding identity theft, more could be done both within the corporate arena and in terms of protecting themselves.

Robert Arandjelovic, director of security strategy EMEA at Blue Coat Systems, noted that:

Identity theft is no longer just about stealing identities. While classical identity theft will continue to exist, we are now seeing it being increasingly used as research gathering in social engineering as part of a larger, sophisticated cyber attack. This allows attackers to assume the identity of key individuals to access corporate networks and take sensitive information.

The wealth of personal information on social media accelerates the speed of information gathering and makes social engineering easier. Our research shows UK employees should treat social media as cautiously as they treat unsolicited phone calls or emails. To combat this change, businesses should seek to strike a balance between technology and educating employees on the risks of social media.

While not necessarily an issue, depending upon the employee’s job role, the research also discovered how only 13% of employees are aware of the security measures in place within their working environment. Just under a quarter of those spoken to think both their firm and themselves could do more to bolster security – it’s unfortunate that Fujitsu did not follow up with the obvious question of what more could be done.

If you were to analyse your own business and ask your employees the same type of questions how do you think they would respond?

Are your staff clued up about their own security and, if so, does that mindset come with them when they come into work?

If it doesn’t, you almost certainly have a problem.

What are you going to do about it?

It Was Breaking Bad’s Fault Says Alleged Dark Web Ricin Buyer

A court yesterday heard how a man living in the Liverpool area attempted to buy 500mg of ricin – enough to kill 1,400 people – after watching the popular US TV series Breaking Bad.

Thirty-one-year-old Muhammed Ali allegedly began searching the web in October last year, researching dangerous poisons including abrin, cyanide and ricin. His search, the court heard, led him to the dark web where, in January of this year, he allegedly tried to purchase a huge amount of ricin from what he assumed to be a genuine seller.

As it turns out though, the seller (Psychochem) was in fact an undercover FBI agent who, after a series of encrypted exchanges with the defendant, informed the authorities in Blighty.

The court heard how Ali, operating under the pseudonym of Weirdos 0000, was led to believe that his purchase had been successful, later receiving a package containing five packs of inert powder secreted away inside a toy car. Soon after taking receipt of the delivery on 10 February, Ali was arrested by police at his home in Prescot, Liverpool.

As for why Ali allegedly tried to secure such a large amount of the chemical weapon, clinical psychologist Dr Alison Beck said the defendant exhibits many signs of Asperger’s syndrome. Beck also suggested his viewing of Breaking Bad may have influenced his mental state:

I think that so far as I understand it, Mr Ali was motivated with pushing the boundaries of what was possible with the technology.

The relevance of the Dark Net was to procure ricin and that idea was implanted in his brain having watched the series Breaking Bad.

(For those of you who are unaware, ricin was a feature of the final series of Breaking Bad – protagonist Walter White used it to kill one of his adversaries).

Even though this story is about the alleged purchase of a weapon of mass destruction, it does contain some security messages.

Firstly, it reiterates something I hope you all know already – people can pretend to be anyone on the web. Just because someone says they are a chemical weapons seller (or potential business partner, someone of romantic interest or anything else you care to mention), it does not mean that they necessarily are.

Secondly, it tells us that, while important, the encryption of communications isn’t the be all and end all of secure messaging – if you cannot verify the identity of everyone who may read that message then your efforts in securing it are somewhat moot.

Thirdly, this story should serve as a timely reminder that there is another side to the internet. While the side most of you are familiar with sometimes conjures up nasty surprises, such as malware-laden websites, cloned bank login pages and all manner of other traps, there is a far seedier area festering away beneath the surface – the dark web – where all manner of products and services can be acquired, from drugs to chemical weapons and DDoS attacks to hitmen.

Now, if only we knew someone who was engaged in the fight against online cybercrime….

Organisations Say Attacks Are Evolving Too Quickly, Recruitment Tricky

Organisations are employing more IT security personnel than ever before but that hasn’t, according to Lieberman Software Corp, made them feel any more secure.

Why is that?

Well, according to a survey conducted at the 2015 RSA Conference, the problem is the speed with which attacks are evolving – organisations simply do not believe they can keep up with them.

Based upon the responses of 200 IT security professionals, Lieberman deduced that two-thirds of organisations are now employing more staff within the infosec function than at any time in the past, yet just over three-quarters of those companies feel they are still ill-equipped to deal with the changing threat landscape.

Why not recruit more staff then I hear you say.

Well, the same study reveals that 85% of the surveyed organisations cannot find the staff they need. This, Lieberman says, could be putting large numbers of organisations in harm’s way (we only need to look at the number of breaches recently to see how the reported risks are growing).

CEO Philip Lieberman said:

These survey results show that it doesn’t matter how many people you have guarding your network, persistent hackers will always find a way. Today companies need to stop thinking about whether they will be attacked and start thinking about what to do when they are attacked. An organisation can significantly reduce the damage caused by a security breach by having a good response plan in place. The truth is, it doesn’t matter how many people you have defending your network, determined hackers will always find a way in.

The dramatic increase in data breaches over the last few years has led to a demand within organisations to employ skilled IT security staff. However many companies have struggled to find staff who are competent enough to defend against the type of sophisticated cyber attacks we are frequently seeing today.

While I don’t think anyone would disagree that a determined hacker will find a way in, irrespective of the number of security staff employed, I think there is much to be said for being as strong and secure as possible.

So, if organisations believe the lack of qualified staff is an issue, what are they to do?

We all know there is a skills shortage – it’s mentioned in the media often enough – but is the problem really as serious as its made out to be?

Sure, there may be a dearth of talent with the correct university degrees or the right certifications, but does that mean the talent isn’t out there or does it mean organisations need to broaden their horizons when it comes to recruiting competent staff?

Personally I think they do and I was pleased to see a CSO article yesterday which, in my opinion, hit the nail on the head.

Michael Santarcangelo’s article raises several interesting points but the key one for me surrounds the development of people who, while lacking security experience, are able to bring other skills to the table. Of course security isn’t for everyone, and some people do not possess the attributes required to achieve the required level of competence in the field, but for many others, a rewarding career in the industry is eminently possible, given the right kind of training and leadership.

As Santarcangelo wrote:

When faced with a shortage of talent, consider looking for people without security experience. Instead, focus on the right aptitudes, attitudes, and abilities.

Then teach them the skills they need to be effective.

I myself know more than one person who has the passion, desire, drive and inquisitive mind to succeed in the infosec profession. In the absence of a computer science degree (or similar) or industry-recognised cert, will they be able to get on in the industry?

I think they should, but how do recruiters see things?

Would you employ somebody from outside of the field to fill your skills gap or are your needs such that you have no option but to headhunt the best talent from your competitors?

Hackers Penetrate Ashley Madison, Slip Out With Customer Data

Hackers have stolen personal information from online international infidelity site Ashley Madison.

The site, which encourages its members to cheat on their partners, boasts 37 million members, all of whom may be ruing the day they signed up with a service which says “Life is short. Have an affair”.

According to Brian Krebs, those responsible – known as The Impact Team – claim to have compromised… everything. That’s databases, financial records and other data.

Not only that, the group has also begun leaking some of that data on the web, including maps of internal servers, company bank account data and employees’ salary information.

Customer data appears to be safe for now but The Impact Team has threatened to dump everything it has if Avid Life Media, the company behind Ashley Madison, fails to close the site, along with another of its web properties, Established Men.

Should such a disclosure of personal information come to pass, the consequences for actual and wannabee cheating spouses could be severe – the data likely to be leaked apparently includes names and addresses, credit card transactions and secret sexual fantasies.

The Impact Team has taken this course of action, it says, because Avid Life Media allegedly lied about a service charge. Membership of the site is free, as is partial deletion of profiles, but a full delete costs $19 (around £12).

This service, the hackers say, has not been provided to those who have paid up. Instead, the group claims names, addresses and usage histories remain, even after the fee has been paid.

In a statement Avid Life Media Inc confirmed the breach, saying:

We were recently made aware of an attempt by an unauthorized party to gain access to our systems. We immediately launched a thorough investigation utilizing leading forensics experts and other security professionals to determine the origin, nature, and scope of this incident.

We apologize for this unprovoked and criminal intrusion into our customers’ information. The current business world has proven to be one in which no company’s online assets are safe from cyber-vandalism, with Avid Life Media being only the latest among many companies to have been attacked, despite investing in the latest privacy and security technologies.

We have always had the confidentiality of our customers’ information foremost in our minds, and have had stringent security measures in place, including working with leading IT vendors from around the world.  As other companies have experienced, these security measures have unfortunately not prevented this attack to our system.

Avid Life Media says it has now successfully removed all hack-related posts and PII about its users by invoking the Digital Millennium Copyright Act. Investigation of the incident continues it says:

At this time, we have been able to secure our sites, and close the unauthorized access points. We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber–terrorism will be held responsible.

How good the security at Ashley Madison is, we do not know, but what is for sure is that data breaches are either becoming more frequent or are being reported far more often. We can also say that, whatever you think of the service the site provides, the attack is still an illegal action, however well-intentioned those behind it may perceive themselves to be.

The latest breach of an adult-orientated site comes two months after Adult Friend Finder suffered a similar fate and the advice for anyone potentially affected this time around is the same – be on your guard for an increase in spam email, identity theft, carefully crafted phishing emails and even potential blackmail attempts.

Wrongful Arrest Underscores How Humans = Risk

I’m sure (hope) you don’t need me to tell you how computers can pose a risk to both yourself and your organisation, be that through local malware or internet attacks.

The number of cases where organisations have been disrupted, crippled or simply inconvenienced by ransomware, viruses, etc. are significant. So too are the number of data breaches and other web-based attacks that we’ve seen recently.

But.

And it’s a big but.

Not all attacks are successful because of the underlying technology. Or should that be in spite of?

Nope, many attacks succeed because of design faults, be that in the design of hardware, the coding of software, or through criminals taking advantage of human nature (think phishing and other socially engineered attacks).

But there is another way in which humans pose significant risks and that’s called human error.

Take, for instance, a story highlighted by the BBC yesterday: Auntie reported how non-technical mistakes accounted for 9 of 17 serious errors by public authorities or communications service providers in 2014.

The highlights from that list of errors include the arrest of one person in connection with a child sex investigation they had no link to, five police searches at innocent civilians’ homes and the tracing of the wrong email user (someone missed out an underscore in the email address) in connection with a child sex exploitation case (the police subsequently paid the innocent person a visit and searched their home).

Sir Anthony May, the Interception of Communications Commissioner, who recently released a detailed report on his findings, said:

Any police action taken erroneously in such cases, such as the search of an individual’s house who is unconnected with the investigation or a delayed welfare check on an individual whose life is believed to be at risk, can have a devastating impact on the individuals concerned.

May revealed how some ‘victims’ had been “incredibly understanding” while others had called in lawyers. Putting that into a business context, both attitudes come with a cost, either in terms of brand damage or possible financial consequences (or both).

So what can we learn from this and what is the answer?

Well, it’s a given that every organisation should be securing its technological assets against bad actors but I think this story highlights how the human element can throw all sorts of unexpected risks into the equation.

While simple, honest mistakes can be unpredictable and hard to mitigate against, there is much to be said for building a culture of security into any organisation.

By simply increasing staff awareness of all security risks, and especially those surrounding the handling and control of data, you can go a long way in improving your chances of not making mistakes. That’s not to say they won’t ever happen though, so now may also be a good time to check that your organisation has a good level of oversight in place, especially if it is dealing with highly sensitive data. You may also wish to check that you have a strong incident response plan and that everyone is familiar with it and their roles in making it happen.

How One Fake Story Added 8% To Twitter’s Value In 10 Minutes

Don’t believe your company can be affected by things that occur on the internet?

Think again!

I’m not even talking about hackers in this instance. Nope, no defacements. No data breach. No DDoS. No attack on your website or systems.

Instead, I’m talking about what might be called a variation of the pump and dump stocks scam, the old ruse in which scammers would pick up next to worthless penny shares and then hype them up via spammed out emails, sent to thousands of potential investors in the hope that they would then drive up the price of the stock.

Only in Twitter’s case the stock is far from worthless and no emails were sent.

So what happened?

Well, yesterday, the company saw a huge surge in the value of its share price, at one point rising from $36.80 to $38.60 in less than 10 minutes, all off the back of a story saying the company had received a $31 billion buyout offer.

Sounds great doesn’t it? After all, analysts put the company’s worth at $25 billion so that’s a pretty good mark-up for the brand’s goodwill isn’t it?

Sure, of course it is, but there is a snag – the story wasn’t true.

Ah, I hear you say, why would the share price rise so quickly then? Surely no investor would be so naive as to believe a fake story. Well, normally that may well be true but in this instance the story appeared to come from an eminently respectable source: Bloomberg News.

Only it didn’t.

Instead, the story appeared on a rather accurate clone of Bloomberg News, using a similar URL of bloomberg.market. Now, if you don’t already know, the latter is not a Bloomberg domain but rather a subdomain belonging to an altogether different site under someone else’s control.

If that wasn’t enough to give the game away, eagle-eyed investors would have noted grammatical and spelling errors in the body of the text:

Last month, upon announcement that chairman and co-founder Jack Dorsey would be appointed interim CEO while they searched for a new leader, Twitter stock rose 8%,. It was a clear signal from Wall Street that it was happy the company decided to part ways with ex-CEO Richard ‘Dick’ Costello. Under his leadership the company struggled to add new members and generate more revenue from its ad products.

Alas it appears many people (or automated systems designed to buy and sell stock based on breaking news stories) failed to notice the misnaming of Dick Costolo or the incorrect web address – and so the buy orders went in.

Ultimately, the price dropped off after Bloomberg revealed how the story was fake, though Twitter was still up around 2.5% when the markets closed. According to Bloomberg, the SEC is now investigating.

So, what can you take away from this story?

Well, there is the fact that the internet now has a tremendous influence on our lives and the fact that a great many people believe whatever news it brings their way. This can be a problem for many reasons – it can, as we’ve seen here, affect share prices. It can also have an influence on how your brand is perceived. It can also encourage people to find the news in the wrong places, via Trojan-infected websites, phishing emails and suchlike. Are your staff among them?

Also, it highlights how many people must have visited a spoofed website. What if that was your bank account? Would you have entered your account details if the web page looked convincing? Do you check URLs in your browser all the time or just assume you are on the correct website? Are your staff as security-conscious as you are?

Food for thought, eh?

Range Rovers Recalled Over Software Lock Bug

Depending on where you live, it may be a requirement to drive around with your windows up and the doors locked in order to avoid thieves and other malcontents when stopping at junctions (if you don’t know what I mean there are certain parts of London I could point you toward).

While such a strategy doesn’t guarantee your safety, it certainly enhances it, making you a high hanging fruit, so to speak.

But what if someone, or something, could unlock your doors without you knowing?

Would that worry you? Even if you aren’t too concerned about being hijacked at the traffic lights, it does pose a risk of having your car stolen. And what would it do to your insurance premiums?

Well, such an eventuality seems to be a possibility with Range Rover and Range Rover Sport vehicles sold in the UK in the last two years.

The manufacturer – Land Rover – is recalling over 65,000 affected vehicles due to a software bug that reportedly led to doors opening of their own accord, including one incident in which a driver said his door opened while the car was on the move.

Land Rover, fortunately, has said that there have been no accidents or injuries as a result of the bug.

Of course many of you may well remember that it is not just strange glitches that have affected the company – last year certain Range Rover models (as well as BMW X5s) were specifically targeted by thieves who probably used a small handheld “black box” to unlock and start cars that relied upon keyless ignition systems.

That incident did indeed lead to thefts and higher insurance premiums for some, not to mention a whole load of inconvenience, as insurers told owners to only park in secure car parks and garages, or insisted upon the installation of tracking systems that could be used if the car was subsequently swiped.

Bad times for Range Rover owners then but what can we learn from this?

As ever, there is a message about an over-reliance on technology. I cannot comment on Range Rover specifically but I have a feeling that many firms pump out tech with an eye on the bottom line first, offering new and exciting features they think will entice customers to buy their product, but without the required level of thought about the security aspect. Or, if not security, simply the thorough testing of systems and software.

And that’s a big problem. Not just in the automotive industry but across every industry.

The desire for ‘new,’ ‘flashy’ and ‘shiny’ seems to mesmerise people to such distraction that they often only look at the surface level. No-one seems to consider ‘security,’ ‘risk’ or ‘human error’ enough. Or at least that’s my opinion.

Now, if only we could change that viewpoint, don’t you think our cars would stay locked when they are supposed to, thieves aside?

And if we could make our cars safer, what else?

Who knows! It’s up to you, the consumer – caveat emptor… or should that be emptor conscius?

In The Endless Battle Should We Celebrate Success Or Focus On Failure?

Do you know what I love about the InfoSec community? It’s the people. Obviously.

But more than that, it’s the passion I see, the determination to make our lives more secure, more safe. It’s the willingness to share, despite professional aspirations and employer associations.

And it’s the most English of qualities – that determination in the face of adversity.

Ever since I first became interested in the subject matter (December 2006 seems like such a long time ago), I’ve been impressed with how the vast majority of companies and individuals have kept a positive mindset in the face of a threat that will never go away, never ease off.

Recently, however, I’ve seen a bit of a trend that concerns me somewhat.

Ok, sure, there is always doom and gloom in any industry. That’s a natural side effect of employing people, some of whom are less happy than others, some of whom are more susceptible to gain a sale based upon a pessimistic outlook.

But at some conferences I’ve been to recently the mood has been somewhat more sombre than I remember in years gone by. I don’t mean in a FUD, get your wallets out kind of way either.

It’s just been, I don’t know, flat?

For all my own faults, of which there are many, it’s not something that will ever dampen my own enthusiasm or alter my viewpoint, but I do wonder what message is being sent out right now?

You know what they say – despair breeds despair. Or something.

But the flip side is just as true – celebrating success lifts spirits, increases motivation (to be fair, InfoSec is an industry that has that by the bucket load already but more is always good) and reenergises those who fight the good fight.

So, in what I guess is an appeal to the good people of Twitter, the conference circuit and other gathering places, I say why not focus on what the industry is getting right.

And there are many successes. Too many to list here in fact. But let’s just pick one organisation – Europol – which is on something of a roll at the moment.

In the last month the Euro cops have busted 49 alleged cybercrims in Italy, Spain, Poland, the United Kingdom, Belgium and Georgia; taken down a crime ring allegedly exploiting and distributing Zeus and SpyEye malware; copped 130 alleged airline ticket fraudsters and nabbed what is says is a serious cybercriminal gang operating out of Barcelona, Spain.

Great stuff and well worth celebrating, wouldn’t you agree?

What do you think? Should we spend more time celebrating success, or could that breed complacency?

Has the InfoSec industry become a tad more pessimistic in the last couple of years or is that just my perception? If the attitude has shifted, why do you think that is?

Adobe Set To Tackle Hacking Team Flash Threat

There has been much said about the Hacking Team story over the last few days, ranging from the ethics of the company’s business through to concerned individuals who say they’ve found the software in question on their systems.

Now, though, there is another facet to the tale – a new Adobe Flash vulnerability discovered in the 400 or so gigabytes of documents leaked in the wake of the breach.

Data belonging to the Italian firm, first posted online on Sunday, suggested it knew of a serious flaw in Flash but did not communicate that fact to Adobe [our CEO, Brian Honan recently offered up some golden advice on vulnerability disclosure]. Now, fast-moving exploit kit developers have apparently taken advantage of that situation with CSO Online reporting that:

Exploit kit developers were quick to weaponize it thanks to detailed instructions provided by Hacking Team documentation.

CSO’s Steve Ragan noted that attacks have been spotted in both the Chrome and Firefox browsers.

Meanwhile, Jerome Segura from Malwarebytes described what Hacking Team called “the most beautiful Flash bug for the last four years” as:

One of the fastest documented cases of an immediate weaponisation in the wild, possibly thanks to the detailed instructions left by the Hacking Team.

Speculating as to why Hacking Team, which sells spying software to governments and their intelligence agencies around the world, may have kept the news of the vulnerability to itself, Bharat Mistry of Trend Micro said:

When you know the severity of a flaw, there’s a duty to disclose it to the software vendor.

Maybe they saw this as an avenue they could use for their own purposes and wanted to keep it under wraps.

But Flash has a big presence on the web. There is mass potential for this bug to be exploited by criminals.

The security firm also said there is evidence that the bug is already being exploited in active attacks, though it did say that the Hacking Team code took advantage of a trick first observed at this year’s Pwn2Own.

Commenting on the news, Ken Westin, Senior Security Analyst at Tripwire, said:

The market for zero day vulnerabilities is alive and well and as the Hacking Team breach has revealed is also highly profitable.

As many governments move to try and control malware and offensive security tools, some have been caught with their own hands in the cookie jar, leading many to wonder how and why governments and agencies listed as Hacking Team clients are using these tools and if they are doing so lawfully.

Given the depth and amount of data compromised in this breach, it will reveal a great deal about the market for offensive tools designed for espionage with a great deal of fallout and embarrassment for some organizations.

For its part, Adobe has confirmed that the vulnerability could “cause a crash and potentially allow an attacker to take control of the affected system”.

A security bulletin from the company noted how the flaw affected  Flash Player 18.0.0.194 and earlier versions for Windows and Macintosh, as well as Flash Player Extended Support Release version 13.0.0.296 and earlier 13.x versions for Windows and Macintosh, and Flash Player 11.2.202.468 and earlier 11.x versions for Linux.

The vulnerability – identified as CVE-2015-5119 – will be patched later today it said.