The week in security: Flame shows hackers LinkedIn to dev tricks
- — 13 June, 2012 10:37
High-profile security breaches occupied the headlines, as a survey found Hong Kong firms face 54 new hack attempts per week – and the Flame malware and a major security breach at LinkedIn served as wakeup calls for those who haven't been paying as much attention to security as they should have.
LinkedIn was in damage control after the revelation that 6 million LinkedIn passwords had been leaked. The company moved quickly to address the issue, adjusting the mechanisms by which its mobile apps handled calendar meeting notes and launching an investigation into what it admitted was a major breach that included compromised passwords. Experts offered advice in the form of FAQs and help in determining whether one's passwords had been compromised, with a Web app called 'LeakedIn' emerging to see whether their password was one of those compromised.
Even as LinkedIn spread the word that it had contained the damage, researchers were digging into Flame and figured out how it spreads across a network by faking Microsoft's Windows Update mechanism, prompting an admission from Microsoft that it was a "significant" milestone in the history of Windows hacking. Researchers said the hack would have required "world-class cryptanalysis" and argued about whether sandboxing would have stopped Flame from spreading. Days later, researchers suggested Flame and the Stuxnet malware were created by the same development teams.
LinkedIn wasn't the only site suffering security problems: dating site eHarmony had a password breach of its own, while online game League of Legends and Internet-radio broadcaster Last FM also warned users to change their passwords. The repeated breaches had some wondering whether users would ever learn what constitutes an appropriate password.
Meanwhile, Facebook was copping criticism as its privacy-policy user referendum garnered a negative reaction, and mustered the forces of good to build an army of volunteer white-hat hackers to dig up issues in its services, and IBM was honing in on app design to boost security of its mobile apps by promoting a security-first approach at every stage of the process.
Better mobile security can't hurt, after researchers found a way to bypass Google's automatic malware scanner for Android apps. Meanwhile Yahoo! was implementing a new antispam defence and Gartner pegged the hotting-up of the mobile device management (MDM) market.
Authorities uncovered more details of the hacker culture as an underground guide was found teaching hackers to bypass fraud detection methods on e-commerce and online banking sites, while six men were jailed in the UK for running a £11 million ID theft 'fraud factory'. Google was preparing to warn users that their Gmail messages may be the target of "state-sponsored" cyberattacks, while a number of Indian ISPs were being targeted in a protest by hacker group Anonymous. Speaking of state-sponsored attacks, US Senator John McCain alleged that the Obama administration was leaking information on US cyber-attacks on Iran to strengthen its credentials with voters.
Also on the privacy front, business consultancy KPMG warned that most UK companies have ignored a new law controlling use of browser 'cookies', while others were questioning the privacy implications of ad personalisation. The US Federal Trade Commission filed charges against two companies it says allowed the leaking of personal data through peer-to-peer software. Also on the networking front, World IPv6 Day saw the 'launch' of the next-generation protocol, which offers new security protections – and threats – in equal measure. While it's not clear just how IPv6 will change the global threat profile, you can bet hackers are already giving it serious attention.