The week in security: War of security words

Australian techhead Mark Pesce made some waves after designing a way to send encrypted tweets using his CrypTweet applications. It's an interesting approach but the still-evolving platform has been slammed by observers as being at an early stage, and compromised by inherent characteristics of the Twitter platform.

Meanwhile, a spate of trust issues with certificate authorities (CAs) around the world has pushed Mozilla to give certificate authorities the chance to retain their inclusion within its products by expunging subordinate CA certificates used to intercept traffic on a private network. Also in the browser world, Google came out swinging against a Microsoft privacy protection feature that it says is inconsistent with modern Web-site features. The stoush arose after Microsoft accused Google of circumventing its privacy protections, but Google wasn't only on the giving end; the company copped a complaint to the US government from a consumer group that wants to halt its planned March 1 introduction of new privacy policies. Google has argued the new policy will have little impact on enterprises, but will they believe it?

Google isn't the only one changing privacy profiles: Key mobile app providers are set to introduce new privacy policies for all of their apps, although the changes will be just one step in a broader effort to mitigate the considerable risks inherent in mobile platforms. There are so many unknowns that Research in Motion was lobbying the Australian government to offer rebates for companies that work on revisiting and improving their internal security.

The US government is also aware of the risks, and is pushing for new privacy codes of conduct in a move that isn't [[xref: Meanwhile, Australia's Business Software Alliance has warned that Australia is second most-suitable in the world for cloud computing but that Europe's position is sliding because it's planning an overhaul of its data protection legislation.

Also, on the cloud front, one analyst said cloud security is not a "real" concern – although that seems an interesting assertion given that online defences are falling at a scary pace. For example, a team of researchers figured out how to defeat a video-based CAPTCHA antispam system called NuCaptcha. Another team of researchers has capitalised on the recent release of Symantec's pcAnywhere source code, releasing an attack that can crash the popular remote-access application.

Symantec was itself in the news after announcing it had discovered a new variant of the ZeuS botnet that no longer requires central command and control servers; this is a major architectural change because the lack of C&C servers makes it harder for researchers to trace its activities back to a single source. That kind of correlation is essential for new services like Akamai's new DDoS detection service, Kona Site Defender, which offers businesses a new layer of protection against such attacks.

Speaking of policy violations, some were considering how to differentiate between plain old cybercrime and all-out cyberwar. It may sound like a case of semantics, but these sorts of things become important when the industry is considering issues such as the US Cybersecurity Act of 2012, which is being targeted by industry figures that want to slow down the government's rush to change the laws. The US Federal Communications Commission is also pushing a model that could have implications within Australia, urging ISPs to proactively notify customers when their systems are compromised.

That said, many users may not even know their systems are being compromised, with a new version of the Flashback Trojan for Mac OS X able to install the malware without requiring any user intervention at all. This is hardly good news for malware defences – and neither is the suggestion that time-tested techniques for quarantining malware for analysis are "broken".

With all this talk about malware nastiness, it's easy to forget that social engineering remains a major security threat. CSO offered a rogues' gallery of the worst social engineers, none of whose activities would have been picked up by a new threat-detection product from startup Click Security that bases its alerts on real-time analysis of intelligent sensors spread across a network. This sort of monitoring may help companies implementing formal governance, risk and compliance (GRC) platforms using the 12 tips CSO offered.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

More about Akamai TechnologiesBusiness Software AllianceCSOFederal Communications CommissionGoogleMicrosoftMotionMozillaSymantecUS Federal Communications Commission

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place