The week in security: Flame shows hackers LinkedIn to dev tricks

High-profile security breaches occupied the headlines, as a survey found Hong Kong firms face 54 new hack attempts per week – and the Flame malware and a major security breach at LinkedIn served as wakeup calls for those who haven't been paying as much attention to security as they should have.

LinkedIn was in damage control after the revelation that 6 million LinkedIn passwords had been leaked. The company moved quickly to address the issue, adjusting the mechanisms by which its mobile apps handled calendar meeting notes and launching an investigation into what it admitted was a major breach that included compromised passwords. Experts offered advice in the form of FAQs and help in determining whether one's passwords had been compromised, with a Web app called 'LeakedIn' emerging to see whether their password was one of those compromised.

Even as LinkedIn spread the word that it had contained the damage, researchers were digging into Flame and figured out how it spreads across a network by faking Microsoft's Windows Update mechanism, prompting an admission from Microsoft that it was a "significant" milestone in the history of Windows hacking. Researchers said the hack would have required "world-class cryptanalysis" and argued about whether sandboxing would have stopped Flame from spreading. Days later, researchers suggested Flame and the Stuxnet malware were created by the same development teams.

LinkedIn wasn't the only site suffering security problems: dating site eHarmony had a password breach of its own, while online game League of Legends and Internet-radio broadcaster Last FM also warned users to change their passwords. The repeated breaches had some wondering whether users would ever learn what constitutes an appropriate password.

Meanwhile, Facebook was copping criticism as its privacy-policy user referendum garnered a negative reaction, and mustered the forces of good to build an army of volunteer white-hat hackers to dig up issues in its services, and IBM was honing in on app design to boost security of its mobile apps by promoting a security-first approach at every stage of the process.

Better mobile security can't hurt, after researchers found a way to bypass Google's automatic malware scanner for Android apps. Meanwhile Yahoo! was implementing a new antispam defence and Gartner pegged the hotting-up of the mobile device management (MDM) market.

Authorities uncovered more details of the hacker culture as an underground guide was found teaching hackers to bypass fraud detection methods on e-commerce and online banking sites, while six men were jailed in the UK for running a £11 million ID theft 'fraud factory'. Google was preparing to warn users that their Gmail messages may be the target of "state-sponsored" cyberattacks, while a number of Indian ISPs were being targeted in a protest by hacker group Anonymous. Speaking of state-sponsored attacks, US Senator John McCain alleged that the Obama administration was leaking information on US cyber-attacks on Iran to strengthen its credentials with voters.

Also on the privacy front, business consultancy KPMG warned that most UK companies have ignored a new law controlling use of browser 'cookies', while others were questioning the privacy implications of ad personalisation. The US Federal Trade Commission filed charges against two companies it says allowed the leaking of personal data through peer-to-peer software. Also on the networking front, World IPv6 Day saw the 'launch' of the next-generation protocol, which offers new security protections – and threats – in equal measure. While it's not clear just how IPv6 will change the global threat profile, you can bet hackers are already giving it serious attention.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

More about etworkFacebookFederal Trade CommissionGartnerGoogleIBM AustraliaIBM AustraliaKPMGMicrosoftUS Federal Trade CommissionYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place