The week in security: If you must poke a bear, use a long stick

It's a lesson learnt all too painfully by all sorts of people in the past: don't cross a hacker or you never know what will happen. Sadly, the developers of the Ruby on Rails team learned this this hard way after a user, who had warned of a vulnerability in the project's code repository on GitHub, hacked into the site to make a point after the development team dismissed his notification.

Developers weren't the only target: according to Symantec, members of the notorious Anonymous hacker group were themselves hacked, although they're denying it ever happened. Claims the FBI had chopped off the head of LulzSec were met with an equally equivocal response although the . However, nobody's denying Websense reports that around 30,000 WordPress blogs were hacked by a gang intent on using them to distribute "rogue" antivirus software; indeed, reports suggest that the Android Market in particular is "riddled" with bogus security products.

In other reports, a targeted email attack is using the political showdown over Iran's nuclear crisis to trick people into opening Word documents that use a known Adobe Flash Player vulnerability to install malware. Reports suggested that the Armageddon DDoS botnet integrates a new exploit called Apache Killer, while Google was forced to cut the link between its Google IM network and AOL's AIM after noting a surge in spam between the networks.

There was – theoretically – some good news, with reports suggesting last year's hack of RSA's SecurID physical login tokens caused no damage at all. Nonetheless, a post-mortem of the RSA Security conference concluded that IT security is in a "precarious spot", and few would be well-placed to disagree as a string of security issues hit the headlines. One survey, for example, found that companies are overconfident about their security protections and wouldn't know a hack if it came up and bit them on the nose. Figures also suggested that a huge number of vulnerabilities are originating from compromised home systems.

Things are so bad that a US senator has asked that country's Federal Trade Commission to look into Apple and Google for allowing mobile apps to access users' photographs without explicitly asking permission first. This, on the heels of formal requests by a pair of US lawmakers who want to know whether the government is snooping on employee emails as a matter of common practice. Such moves suggest concern over privacy may lead to tighter regulations on telecoms providers, but a group of ISPs has told the US Congress it really shouldn't pass new cybersecurity rules affecting broadband and mobile security providers.

New security products sought to batten the hatches, with Vodafone offering its 'Secure SIM' for secure access to data networks and Vasco delivering new 'e-signature devices' designed to make online transactions more convenient. Kaspersky offered a new product designed to secure virtualised environments which, we are reminded, raise three key issues of their own. And it might not sound like ideal security, but German researchers are suggesting that a new password store offers stronger iPhone security by simply letting attackers in every time.

Speaking of new products: Google patched a serious Chrome vulnerability but suffered a significant hack after a security researcher successfully broke with tradition and hacked into the Chrome browser; thankfully for Google, the penetration occurred within the confines of the CanSecWest security conference and only costs the company a longstanding $60,000 prize it has offered to anyone who can demonstrate a Chrome hack (Microsoft's IE9 browser also fell victim). That's one way to ensure security; another is to hire a security gun like Facebook CSO Joe Sullivan.

CSO also had a chat with a security bod who believes rugged development principles can improve the coherence of corporate security practices. Yet these principles, like any security-related guidance, must be applied carefully: without correct application of security standards, the result can actually be poor business outcomes.

The government however, is hoping to enforce some standards on ethical hacking in a move that will improve visibility of security practices; also working to improve visibility was Lockheed Martin, which is opening a new software testing lab in Canberra where suppliers can test their various security solutions.

Join the CSO newsletter!

Error: Please check your email address.

More about Adobe SystemsAOLApacheAppleetworkFacebookFBIFederal Trade CommissionGoogleKasperskyKasperskyKillerLockheed MartinMicrosoftRSASymantecVascoVodafoneWebsenseWest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place