The week in security: Huawei, ZTE, Galaxy Tab deemed unacceptable for business use
- — 15 October, 2012 11:59
How much damage could a malware infection do in your company? A new study found that cyberattacks cost an average $US8.9m to clean up. This, in the context of a relentless exposure profile that saw Windows 7's malware infection rate climb by up to 182% this year.
The popularity of key-generation software intended to help 'crack' trial software – but which actually deliver malware 75% of the time – could be one factor. The actual number could, however, be much higher amidst reports that the volume of reported application vulnerabilities has increased.
This, amidst suggestions that antivirus solutions miss 60% of in-the-wild malware. Users continue to click on questionable links such as the 'Dorkbot' Skype malware link at a rate of knots, while Japanese police were dealing with a bizarre case after two men were arrested on suspicion of making murder threats and malware was ultimately fingered as the likely culprit. Microsoft's Bing search engine was also on the malware watch list after it was suggested that malware-embedded images are causing major headaches for users.
Meanwhile, researchers identified a piece of malware that recruits systems for a commercial proxy service. In many other cases, legitimate notices, such as ISP advisories, are being ignored by Australians who think they're spam.
Far less secure are some of the devices end-users are sneaking into companies thanks to increasingly permissive bring your own device (BYOD) policies: Research In Motion CIO Robin Bienfait has his concerns about iPhones or Android devices, for example, while getting forensic data from smartphones and tablets can be difficult. And Samsung's Galaxy Tab reportedly has enough flaws that analysts warn that it cannot be recommended for enterprise use.
Neither, it would seem, can networking hardware from Chinese vendors Huawei and ZTE. Analysts were weighing in on the ongoing controversy over the vendors, with many arguing that concerns over their security are more an issue of politics than actual fact. Yet this didn't stop Cisco Systems from cutting ties with ZTE after it was alleged ZTE sold Cisco gear to the government of Iran, and both companies were blacklisted after a US congressional committee named them as security threats.
Huawei hit back, arguing that the report is "not fact-based", but analysts agreed the report raises real concerns. Some questioned why Huawei is still acceptable for use in New Zealand; a UK parliamentary committee began looking into the relationship between BT and Huawei; and still others said that while the concerns were understandable, there were other, technical reasons not to use Huawei routers.
Even the phones aren't safe anymore, with users relating takes of woe as US Federal Trade Commission action targeted Indian scammers posing as Microsoft technical support officers. Security firm Websense warned that targeted 'spear-phishing' attacks are targeting focused-interest sites, while 30 US banks were targeted by a Russian criminal syndicate. Along similar lines, Natwest Bank suspended its GetCash mobile application service after it was bilked out of thousands of pounds through phishing attacks. Furthermore, three more US banks have been targeted by Islamic hacktivists. These sorts of targeted attacks could cripple the US, the US Secretary of Defense warned, while a UK academic was concerned about a loophole in EU data protection laws, and it was revealed that a Facebook lookup feature can be used to find the phone numbers and names of their owners.
Facebook soon patched the hole, but this sort of capability has strengthened calls for more social-media regulation. But administrators at one school didn't even have to work that hard to track people, with a Texas school district using RFID tags to track the locations of what could eventually be nearly 100,000 students. A Japanese mobile app was proving equally adept at compromising security after it published up to 760,000 address book entries from its users in a publicly searchable database. And, it was revealed, German police have been monitoring Facebook, Gmail and Skype conversations for years.
RSA launched an implementation of a theoretical security improvement with an app that splits stored passwords into two pieces, theoretically making them harder to steal. Yet even the best-protected software can be vulnerable: Mozilla pulled and then re-released its new Firefox 16 browser after a security vulnerability was found, while a hacker scored $US60,000 after compromising Google's Chrome browser at the Hack In The Box conference in Kuala Lumpur. Tongues were wagging after two Pirate Bay founders were supposed to speak at the event but failed to show up before being belatedly located.
Finally, the relationship between CIOs and CSOs was under the spotlight as a CSO-PricewaterhouseCoopers survey found that a disconnect between the two executives' priorities can become a major loss for companies. Another relationship was also strained as Anonymous and WikiLeaks had a falling-out of sorts, with an angry Anonymous claiming Wikileaks has become all about Julian Assange.