The week in security: hackers banking on human, technological shortcomings

The US government is on the verge of announcing a winner for its competition to build a new cryptographic hash algorithm – but not everyone thinks it's necessary. Current encryption can do the job nicely and – in the case of some cloud-computing services – for free. Cloud providers are responsible for your personal data when it's loaded into cloud services, but encrypting it may prove valuable if you're not entirely convinced.

You might not think it from the blanket coverage of one hack attack after another – witness the Adobe code-signing certificates compromised by hackers and used to sign malware as authentic – but research firm Forrester Research has concluded that most data breaches are caused by employees, not renegade hackers from the outside. Little wonder: a recent survey has found six out of 10 consumers use the same online passwords, over and over.

Facebook was on the back foot denying what the media labelled a major privacy breach after old private messages inexplicably surfaced on users' timelines; the claim later turned out to be a false alarm. But it wasn't a false alarm when a researcher pointed out that standards group the IEEE exposed nearly 100,000 members' usernames and passwords and earned the contempt of security analysts that called the organisation "plain stupid".

Hackers had the banking community on edge as Bank of America and JP Morgan suffered attacks from "Islamic hacktivists" supported by large-scale DDoS attacks. The situation got nastier after the hackers named another target – PNC Bank – and proceeded to make good on their threat despite the warning.

The FBI has come out warning banks not to let employees go online using sensitive payment computers after they uncovered a scam that was securing criminals six figures per attack. DDoS attacks were used to distract the banks during the thefts – leading some experts to warn that banks can only "hope for the best" in such situations – although Iran has denied it was responsible.

Separately, a group of hackers called the Arab Electronic Army has attacked numerous Western websites in retaliation for the controversial film Innocence of Muslims, while a Canadian energy firm confirmed that some of its customers' project files had been compromised. A download mirror server for the SourceForge software repository was compromised to distribute a back-door phpMyAdmin package, while some Twitter users were being sent malicious links via direct message.

The good guys were also attacking, with Microsoft's Digital Crimes Unit chalking up more and more wins against malicious botnets. A former US Department of Human Services official has gone on record advocating that the best hacker defence is a good offence. Google has patched 24 bugs in Chrome after paying out $29,000 to researchers that found them, while Mozilla launched the first beta of a new website authentication system called Persona. And a new tool called Tufin SecureApp has been designed to simplify firewall management.

Mobile security was also in the news, with Android and iOS security apps in high rotation after a growing number of mobile-related snafus – including a Samsung browser bug that lets a device be remotely wiped by visiting a certain website; subsequent investigations confirmed the attack works across a variety of Android phones.

This, amidst revelations that mobile malware volumes are up by 2,180 per cent. Even mobile adware in Android apps is "getting more aggressive", by some accounts, as Sophos rolled out new apps for boosting mobile malware and encryption defences.

A number of computer-rental companies in the US have settled with that country's Federal Trade Commission after it was revealed they had installed snooping software that captured personal information, logged keystrokes, and even took Webcam pictures of customers in their homes. The firms have been hit with a 20-year ban on similar behaviour.

Meanwhile, a scam involving ransomware masquerading as law-enforcement information reached this side of the pond. Over in New Zealand, there were mixed emotions about the proposed 'Cyberbullying Bill' that some fear would interfere with free speech. Interestingly, despite the fear of anonymous online attacks and privacy violations, one website has come out telling visitors it will not honour their Web browsers' do-not-track requests, in protest against privacy groups and others supporting the technology.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts