The week in security: Yahoo!, Google learn security lessons

From the good-news-bad-news files, the federal Department of Broadband, Communications and the Digital Economy surprised many citizens by telling them that DVDs with their usernames and passwords had been lost in the post – but the news came four months after the event, which rendered it all but moot for most.

Apple saw its first malicious iOS app unleashed onto its app store, and copped criticism for its perceived lack of effort in preventing iPhone theft; ironically, the company is so concerned about iPhone security that it’s holding off providing its own mobile payment service despite successful efforts by rivals.

One of those rivals, Google, saw its Android platform hit with . Even an online Android forum was hacked – raising cheers from privacy groups. But not all mobile devices are insecure: many have been tweaked for better security, as a CSO gallery showed.

New security standards dropped references while outlining better protection – but they aren’t the only things requiring protection from cyber attacks, with European security authorities warning that smart energy grids are vulnerable and need better security.

UK police secured a 6.5 year sentence against a phisher who siphoned $461,000 from British students, while two men were jailed for a separate scam that picked off more than $2.3m by impersonating a student-loan company. And, in the US, authorities blasted a $2.7m online loan-fraud scheme.

Also on the policing front, the shutdown was hailed by some as a victory for law enforcement and a victory for morality by its creator. Retailer Best Buy revealed hackers were regularly trying to access online customer accounts and some questioned the long-term value of the DNSChanger shutdown even as ISPs were being credited with minimising its impact.

New malware emerged to take its place, with one Java-based Web attack installing backdoors across Windows, Linux, and Mac computers and a new Chinese Trojan tricking routers into spreading malware. Even Microsoft had trust issues, revoking 28 digital certificates for its BPOS cloud tools. The company also updated its Windows encryption policies to reject encryption keys smaller than 1024 bits.

Yahoo was investigating the breach of 453,000 user logins, which included a range of user names and passwords that spawned a raft of analysis – including the listing of the most common passwords in use on the service. Hackers facilitated this process by posting over 400,000 Yahoo! Voice passwords online. Armchair analysis blamed Yahoo! for negligence and incompetence in its security.

On the privacy front, French courts set an interesting privacy precedent by fining a company more than $12,000 after it refused to give an employee a GPS record it had made of his movements in his company vehicle. On a similar front, figures revealed that US law-enforcement agencies requested data on mobile users more than 1.3 million times last year. No wonder consumer concern over online privacy is up by half over last year.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

• Tweet