The week in security: hackers banking on human, technological shortcomings
- — 04 October, 2012 09:50
The US government is on the verge of announcing a winner for its competition to build a new cryptographic hash algorithm – but not everyone thinks it's necessary. Current encryption can do the job nicely and – in the case of some cloud-computing services – for free. Cloud providers are responsible for your personal data when it's loaded into cloud services, but encrypting it may prove valuable if you're not entirely convinced.
You might not think it from the blanket coverage of one hack attack after another – witness the Adobe code-signing certificates compromised by hackers and used to sign malware as authentic – but research firm Forrester Research has concluded that most data breaches are caused by employees, not renegade hackers from the outside. Little wonder: a recent survey has found six out of 10 consumers use the same online passwords, over and over.
Facebook was on the back foot denying what the media labelled a major privacy breach after old private messages inexplicably surfaced on users' timelines; the claim later turned out to be a false alarm. But it wasn't a false alarm when a researcher pointed out that standards group the IEEE exposed nearly 100,000 members' usernames and passwords and earned the contempt of security analysts that called the organisation "plain stupid".
Hackers had the banking community on edge as Bank of America and JP Morgan < a href="http://www.cso.com.au/article/437418/theories_mount_bank_attacks_experts_stress_defense/">suffered attacks from "Islamic hacktivists" supported by large-scale DDoS attacks. The situation got nastier after the hackers named another target – PNC Bank – and proceeded to make good on their threat despite the warning.
The FBI has come out warning banks not to let employees go online using sensitive payment computers after they uncovered a scam that was securing criminals six figures per attack. DDoS attacks were used to distract the banks during the thefts – leading some experts to warn that banks can only "hope for the best" in such situations – although Iran has denied it was responsible.
Separately, a group of hackers called the Arab Electronic Army has attacked numerous Western websites in retaliation for the controversial film Innocence of Muslims, while a Canadian energy firm confirmed that some of its customers' project files had been compromised. A download mirror server for the SourceForge software repository was compromised to distribute a back-door phpMyAdmin package, while some Twitter users were being sent malicious links via direct message.
The good guys were also attacking, with Microsoft's Digital Crimes Unit chalking up more and more wins against malicious botnets. A former US Department of Human Services official has gone on record advocating that the best hacker defence is a good offence. Google has < a href="http://www.cso.com.au/article/437573/google_patches_24_chrome_bugs_pays_29k_bounty_hunters/">patched 24 bugs in Chrome after paying out $29,000 to researchers that found them, while Mozilla launched the first beta of a new website authentication system called Persona. And a new tool called Tufin SecureApp has been designed to simplify firewall management.
Mobile security was also in the news, with Android and iOS security apps in high rotation after a growing number of mobile-related snafus – including a Samsung browser bug that lets a device be remotely wiped by visiting a certain website; subsequent investigations confirmed the attack works across a variety of Android phones.
This, amidst revelations that mobile malware volumes are up by 2,180 per cent. Even mobile adware in Android apps is "getting more aggressive", by some accounts, as Sophos rolled out new apps for boosting mobile malware and encryption defences.
A number of computer-rental companies in the US have settled with that country's Federal Trade Commission after it was revealed they had installed snooping software that captured personal information, logged keystrokes, and even took Webcam pictures of customers in their homes. The firms have been hit with a 20-year ban on similar behaviour.
Meanwhile, a scam involving ransomware masquerading as law-enforcement information reached this side of the pond. Over in New Zealand, there were mixed emotions about the proposed 'Cyberbullying Bill' that some fear would interfere with free speech. Interestingly, despite the fear of anonymous online attacks and privacy violations, one website has come out telling visitors it will not honour their Web browsers' do-not-track requests, in protest against privacy groups and others supporting the technology.