The week in security: Bank security faces Olympic-sized challenges

Olympics-related scams were in full swing as the Games continued, with unsophisticated bulk phishing scams trying to extract hard-earned from punters and search engines dishing up fake Olympic Games domains.

An upgrade of Australia's payment-card security has delivered mixed results, while security executives were warning that mobile apps have become a major new attack vector for cyber criminals. Growing security fears amongst users are destroying user trust in mobile finance, with new 'Shylock' malware replacing the contact phone numbers in online banking sites and the industry reeling from frauds such as a £2.5m deception perpetrated by a Lloyds head of security for online banking.

Even as the Reveton email-based financial malware scam grew, reports suggested surveillance malware was monitoring Middle Eastern banks; it was christened 'Gauss' and has quickly gained notoriety as the latest state-sponsored cyber-espionage tool. Gauss detection tools were soon on offer from two security organisations as discussions and analysis suggested the new Flame variant reflects a boom in malware tools.

Cloud applications could well become a target too, with Apple licking its wounds after a socially-engineered iCloud hack caused problems for journalist Mat Honan and forced Apple to stop password resets over the phone. This notorious hack led Google to push for two-factor authentication as a new survey confirming that around half of companies use cloud-based services to store sensitive data, using a variety of encryption mechanisms.

That could be a worry as statistics show a growing trend towards privacy breaches and regular attacks, with Apple co-founder Steve Wozniak blasting cloud-hosted security. A data breach at the US EPA was part of a 19% increase in privacy breaches from 2010 to 2011, while a survey suggested Web applications are attacked, on average, once every three days. Some executives want to get more proactive in fighting back, while some industry experts argued that IT executives will struggle to enforce security policies without a system of rewards. And CSO wrapped up other conclusions from recent security conferences.

Australia's privacy commissioner confirmed to CSO that he won't be pushing Google to provide Street View 'payload' data that was supposedly destroyed last year, even as the company cops a $US22.5m fine over its circumvention of privacy controls in Apple's Safari browser.

Google was worrying some with the increasing integration of Gmail and Google search, but it wasn't the only offender: a privacy breach by a UK health trust copped a £175,000 ($A260,000) fine, while online games giant Blizzard Entertainment said its internal network had been breached by hackers and Facebook's own privacy settlement got the nod from the US FTC.

Symantec came out warning that hackers have taken a shine to small businesses, while a report suggested US and China-based attacks increased in the first quarter of this year and other criminals are targeting payroll administrators with emailed malware. Even as it patched 14 new Internet Explorer vulnerabilities, Microsoft announced that Windows 8 and its bundled IE10 would include a 'do not track' option, and Google announced that it had built a stronger 'sandbox' for Flash within the Windows version of Chrome.

Security firm Kaspersky is working to tighten security within notoriously-insecure industrial control systems by building a new SCADA operating system. It would counter infrastructure attacks such as those by Flame, Stuxnet and related malware that has targeted Iran's industrial complex – which may itself get a new defence as that country moves to set up a secure intranet that isolates those systems from the outside world.

Nvidia was busy patching a video driver bug that facilitated root access on Linux systems, while Trend Micro expanded its cloud-security infrastructure. And none too soon: new spyware called FinFisher is apparently letting hackers record Skype conversations, log keystrokes and turn on a victim computer's webcam and microphone – and has been found on five continents.

Such behaviour may be a problem on your home or work computer, but it's the core of a new security platform: Microsoft and the New York Police Department debuted a jointly developed counter-terrorism system that helps find suspects with technology like data analytics, smart cameras and license plate readers.

That sort of system may provide eyes on the ground, but the Obama administration is reportedly considering an executive order that would force government agencies and critical infrastructure owners to implement better controls to secure their networks. The US Department of Energy is following suit, pushing for utilities to create 'cybersecurity governance boards' that would boost the priority of cybersecurity in their formal security and data-sharing programs.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts