The week in security: Bank security faces Olympic-sized challenges
- — 14 August, 2012 15:30
Olympics-related scams were in full swing as the Games continued, with unsophisticated bulk phishing scams trying to extract hard-earned from punters and search engines dishing up fake Olympic Games domains.
An upgrade of Australia's payment-card security has delivered mixed results, while security executives were warning that mobile apps have become a major new attack vector for cyber criminals. Growing security fears amongst users are destroying user trust in mobile finance, with new 'Shylock' malware replacing the contact phone numbers in online banking sites and the industry reeling from frauds such as a £2.5m deception perpetrated by a Lloyds head of security for online banking.
Even as the Reveton email-based financial malware scam grew, reports suggested surveillance malware was monitoring Middle Eastern banks; it was christened 'Gauss' and has quickly gained notoriety as the latest state-sponsored cyber-espionage tool. Gauss detection tools were soon on offer from two security organisations as discussions and analysis suggested the new Flame variant reflects a boom in malware tools.
Cloud applications could well become a target too, with Apple licking its wounds after a socially-engineered iCloud hack caused problems for journalist Mat Honan and forced Apple to stop password resets over the phone. This notorious hack led Google to push for two-factor authentication as a new survey confirming that around half of companies use cloud-based services to store sensitive data, using a variety of encryption mechanisms.
That could be a worry as statistics show a growing trend towards privacy breaches and regular attacks, with Apple co-founder Steve Wozniak blasting cloud-hosted security. A data breach at the US EPA was part of a 19% increase in privacy breaches from 2010 to 2011, while a survey suggested Web applications are attacked, on average, once every three days. Some executives want to get more proactive in fighting back, while some industry experts argued that IT executives will struggle to enforce security policies without a system of rewards. And CSO wrapped up other conclusions from recent security conferences.
Australia's privacy commissioner confirmed to CSO that he won't be pushing Google to provide Street View 'payload' data that was supposedly destroyed last year, even as the company cops a $US22.5m fine over its circumvention of privacy controls in Apple's Safari browser.
Google was worrying some with the increasing integration of Gmail and Google search, but it wasn't the only offender: a privacy breach by a UK health trust copped a £175,000 ($A260,000) fine, while online games giant Blizzard Entertainment said its internal network had been breached by hackers and Facebook's own privacy settlement got the nod from the US FTC.
Symantec came out warning that hackers have taken a shine to small businesses, while a report suggested US and China-based attacks increased in the first quarter of this year and other criminals are targeting payroll administrators with emailed malware. Even as it patched 14 new Internet Explorer vulnerabilities, Microsoft announced that Windows 8 and its bundled IE10 would include a 'do not track' option, and Google announced that it had built a stronger 'sandbox' for Flash within the Windows version of Chrome.
Security firm Kaspersky is working to tighten security within notoriously-insecure industrial control systems by building a new SCADA operating system. It would counter infrastructure attacks such as those by Flame, Stuxnet and related malware that has targeted Iran's industrial complex – which may itself get a new defence as that country moves to set up a secure intranet that isolates those systems from the outside world.
Nvidia was busy patching a video driver bug that facilitated root access on Linux systems, while Trend Micro expanded its cloud-security infrastructure. And none too soon: new spyware called FinFisher is apparently letting hackers record Skype conversations, log keystrokes and turn on a victim computer's webcam and microphone – and has been found on five continents.
Such behaviour may be a problem on your home or work computer, but it's the core of a new security platform: Microsoft and the New York Police Department debuted a jointly developed counter-terrorism system that helps find suspects with technology like data analytics, smart cameras and license plate readers.
That sort of system may provide eyes on the ground, but the Obama administration is reportedly considering an executive order that would force government agencies and critical infrastructure owners to implement better controls to secure their networks. The US Department of Energy is following suit, pushing for utilities to create 'cybersecurity governance boards' that would boost the priority of cybersecurity in their formal security and data-sharing programs.