The week in security: Was it the FBI's Apple data, or not?
- — 13 September, 2012 12:40
Reports were questioning corporate security culture as KPMG suggested a lack of legislation around mandatory data breach notifications has left many Australian companies tight-lipped on the subject.
Talk about it or not, it's still happening: A bank refunded $12,000 to a victim of ATM 'skimming', while two executives at an ATM-owning company were jailed for a racket that stole $US4.8m from a Rhode Island bank.
Financial motivations weren't the only thing hitting the news: a hacktivist stole data from three UK Police Web sites, apparently as a show of support for Julian Assange. Support for Assange also drove DDoS attacks on UK, US and Swedish government Web sites.
These and other crimes were the subject of a manual on how international law applies to cyberwarfare. Case in point: revelations that certificate authority Comodo was tricked into selling a code-signing certificate to a banking Trojan distributor, or the leaking of 1 million Apple user IDs said to have been stolen from an FBI agent's laptop.
Breaches are certainly happening all the time: storage firm Imation, for one, reported that public-sector organisations have driven a tenfold rise in data breaches since 2007, while a separate survey found that encryption usage has increased 20 per cent annually since 2008.
Straight from the vulnerabilities department, researchers found a critical vulnerability in a new Java 7 security update. Reinforced by an Apple update to fix Java security issues, some started to ask whether Java's time has come at last. But Java may only be the tip of the iceberg: an Avecto survey suggested that most IT professionals have no idea what's running on their networks – particularly worrying since many organisations let young workers run applications with full administrative privileges just to avoid incurring their wrath.
Meanwhile, Siemens arm RuggedCom discovered new vulnerabilities in its industrial switches. Linux and Mac OS X users were being targeted by a password-stealing Trojan called 'Wirenet', while a security firm suggested the nefarious 'Wiper' worm was linked to the previous Duqu attack.
Virtualisation vendor VMware had an interesting take on smartphone virtualisation, unveiling a new platform for device and application mobility after (allegedly) gaming iOS security to create virtual workspaces.
Facebook was going on the offensive against scammers, eliminating fraudulent 'Likes' that inflate a page's perceived importance. Facebook users may be surprised at the results of a Secure.me browser plug-in that tells them what information is being collected by third-party applications.
Russia's Defence Ministry seems to have already noticed the alarming level of detail going back to Google – and has released a new tablet for Kremlin users that runs a version of malware-prone Android that has been modified to take out the operating system's back-to-base reporting.
And, just slightly westward, Germany's federal police are recruiting to develop their own surveillance software to help in investigations.
Meanwhile, with the anniversary of September 11, many were questioning whether the US government's anti-cybersecurity efforts are going to be enough. Some said a presidential Executive Order, issued in lieu of a congressional consensus, might have some interim effect but the jury's still out on its long-term impact.