The week in security: Zombie browsers and security horror stories

Companies are struggling to control cloud-computing, social media and mobile risks, a new survey of CIOs and CISOs has revealed (little wonder, with over 290,000 Google Play Android apps labelled ‘high risk’ and the top five mobile threats of the year looking nasty indeed). These failures could cause more than annoyances for companies, with courts said to be broadening the scope of company liability for financial harm caused by security breaches.

Yet the sharing of private information, apparently, is fine with many companies: privacy group Privacy International suggested that many transit card authorities voluntarily hand over traveller information to law-enforcement agencies. On a similar note, a US Supreme court judge was questioning questioning the legitimacy of a law allowing secretive government surveillance, while Georgia took a different approach by blowing the cover of a Russia-based hacker who had decided to spy on the wrong people.

Some are wondering whether and how the government can stimulate the training of a new generation of cyber security professionals, while others argue that they’re out there but are just “socially awkward”. Not so much the hacker community, which is apparently using online forums to induct new cyber-criminals. Fighting them will require a ‘cyber reserve’ of security professionals, one US government figure has warned.

UK police arrested three men making a similar lapse of judgement after they ran large-scale Trojan phishing attacks against several banks. One Australian security researcher wrote a plea to Attorney-General Nicola Roxon to reconsider her data-retention proposal, while others warned about the invariable spike in fraudulent activity around Christmas time. With malware infecting 13% of North American home networks, the stage is already set.

Privacy advocates are unhappy about Yahoo’s decision to warned that “zombie browsers” are being created as embedded malware tricks browsers to spy on users in a variety of ways. Mozilla updatedFirefox 16 to address security flaws and introduced a pre-loaded list of secure-only domains, while the makers of email server Exim released an emergency update.

Security firm Kindsight published its list of the top ten worst botnets in 2012, while security firm Stratasec warned that many cloud-computing providers were failing to monitor and block malicious traffic coming from their networks. This not only makes them a spawning ground for malware attacks and botnets, but paves the way for difficult situations such as the one in which over 50 Australian network operators were blamed for contributing to a three-week DDoS attack on a US company’s customers.

Meanwhile, the increasing trend towards infrastructure attacks led to US government warnings about insecure industrial control systems. Yet despite the warnings, hopes are fading that long-anticipated US-government cybersecurity legislation or executive orders will be released before the end of the year. The most leeway is being made by local efforts, such as California’s efforts to crack down on breaches of residents’ mobile privacy.

Given that enterprises have been completely unable to stop the spread of these and other nasties, one security figure is arguing that perimeter-based ideas about breach prevention are dead, and that the focus should be on managing breaches instead. Or, you can always just try to hit them harder: big-data security startup CrowdStrike hired an ex US Air Force colonel to drive its efforts to make targeted malware attacks easier to respond to.

The threat from that practice – controversial as it is – clearly didn’t deter Anonymous, which took on online-games giant Zynga, threatening to make some of its games available for free online if it didn’t back away from plans to offshore its development. It’s the latest in a trend towards high-profile hacks that are seeing data stolen and exploited for a broad range of purposes. The security stories people are sharing are enough to make the hairs on the back of your neck stand up. Then again, one Australian survey has suggested things aren’t nearly as bad as we’re being told. But maybe they just want you to believe that.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

More about Attorney-GeneralCSOGoogleindeedMicrosoftMozillaPrivacy InternationalYahooZynga

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place