The week in security: appealing to hackers' good sides
- — 21 August, 2012 16:00
Julian Assange may be in the news for curious reasons these days, but the organisation he created raised eyebrows after the release of hacked emails from analyst firm Stratfor suggested companies including Google and Salesforce.com may be interested in video-surveillance and analysis tool Trapwire.
Also on the questionable side of video surveillance was Facebook, as German authorities reopened proceedings against the company's facial-recognition technology, while some were suggesting that facial recognition technologies should be regulated to prevent abuse, while media sites are getting ready for abuse of a different sort as they steel themselves for an expected surge in politically motivated 'hacktivist' attacks such as the recent attack on energy giant Saudi Aramco.
One good-old activist lodged a complaint against Germany's ban on anonymous SIM card use even as hackers were still up to their old tricks, with a US medical centre reportedly held for ransom by hackers that encrypted thousands of patient records and emails. Another new piece of malware had some scratching their heads after installing a new font on victims' computers.
Vendor Trusteer said an attack on an airport VPN illustrated that hackers had figured out how to circumvent multi-factor authentication systems. Media giant Reuters was hacked for the second time in a month, while a nasty new piece of malware called Shamoon deletes the contents of victims' computers and prevents a reboot.
The severity of such exploits was reinforced by the revelation that many security suites cannot defend against recent exploit-based attacks. Many are concerned that today's malware has taken a turn towards the nasty with the next generation of attacks more insidious than ever.
As the rise of state-sponsored hacking changes the nature of security and US politicians continue their stalemate over security legislation, the head of the US National Security Agency was appealing to hackers' good sides as he entreated attendees at the recent Defcon conference to help him keep the online world secure.
Consumers may also play a role as security pundits consider whether consumers should be forced to use enterprise-grade security to ensure they're protected online. One expert said that it's "possible, but not likely"; what do you think? Speaking of enterprise-grade security: some in the security industry are arguing that vendors should be pressured by businesses to upgrade to 1024-bit security before hackers catch up with the relatively weaker 128-bit and 256-bit encryption being used in current scenarios.
Along similar lines, governments may be pushed into a wave of website upgrades after new NIST encryption guidelines were put out for public review; none too soon, as a jump in phishing attacks during July suggested the public sector was being targeted by digital troublemakers.
Encryption or no encryption, an AFP security investigator said that Australian police agencies tend not to push for evidence discovery through mutual assistance treaties because it takes so long to get the information – often up to two years – that police cannot present it within statutory 90-day limits.
Even as security experts continued to deconstruct Gauss malware and called out for help in decrypting its payload, Russian security firm Dr Web warned that 140,000 Macs are still infected with Flashback malware and scientists in Switzerland were working on a way to ferret out the source of malware and spam attacks.
Many of those attacks are generated automatically through rootkit tools, so it was an interesting turning of the tables to see security vendor Prolexic detailing vulnerabilities it discovered in a hacker toolkit used to launch DDoS attacks against company networks. Turns out the authors of the toolkit left the system's C&C servers open to attack through discovered vulnerabilities in their code.
Microsoft was taking its own steps to improve security, encouraging developers to buy Extended Validation code-signing certificates to ensure their software isn't flagged by Windows 8's SmartScreen 'reputation checker'. These issues can become big problems, as Adobe found out after the Google Chrome security team revealed flaws in Adobe Reader because the company won't release its own updates until August 27. Adobe had its own problems, pulling mobile Flash for its instability but concerning many because of its lack of a 'kill switch' to turn off existing installs.
On the privacy front, Microsoft found itself on the wrong side of advertisers after announcing it would enable a do-not-track mode in its upcoming Internet Explorer 10 browser (Windows 8 RTM shows how it will look). Perhaps they should take some cues from police, who by some accounts are getting much better at finding people based on their online activity. And they're not the only ones: reports said Michael Dell's teenage daughter had her Twitter account shut down after the family's security team became concerned that her tweets were sharing too much information about the family's movements.
The continuing assault by hackers is driving startup company SecurityStarfish to try to position itself as a 'CISO collective' through which security executives can share information on attacks to try and be more proactive in fighting future attacks. Google is backing its call for better transparency in Chrome bug reporting with cash, offering $US2m for major vulnerabilities discovered at the upcoming Pwnium hacking contest.