The week in security: Zombie browsers and security horror stories

Companies are struggling to control cloud-computing, social media and mobile risks, a new survey of CIOs and CISOs has revealed (little wonder, with over 290,000 Google Play Android apps labelled ‘high risk’ and the top five mobile threats of the year looking nasty indeed). These failures could cause more than annoyances for companies, with courts said to be broadening the scope of company liability for financial harm caused by security breaches.

Yet the sharing of private information, apparently, is fine with many companies: privacy group Privacy International suggested that many transit card authorities voluntarily hand over traveller information to law-enforcement agencies. On a similar note, a US Supreme court judge was questioning questioning the legitimacy of a law allowing secretive government surveillance, while Georgia took a different approach by blowing the cover of a Russia-based hacker who had decided to spy on the wrong people.

Some are wondering whether and how the government can stimulate the training of a new generation of cyber security professionals, while others argue that they’re out there but are just “socially awkward”. Not so much the hacker community, which is apparently using online forums to induct new cyber-criminals. Fighting them will require a ‘cyber reserve’ of security professionals, one US government figure has warned.

UK police arrested three men making a similar lapse of judgement after they ran large-scale Trojan phishing attacks against several banks. One Australian security researcher wrote a plea to Attorney-General Nicola Roxon to reconsider her data-retention proposal, while others warned about the invariable spike in fraudulent activity around Christmas time. With malware infecting 13% of North American home networks, the stage is already set.

Privacy advocates are unhappy about Yahoo’s decision to ignore the ‘Do Not Track’ feature of Microsoft’s Internet Explorer 10 browser. Also on the browser front, researchers warned that “zombie browsers” are being created as embedded malware tricks browsers to spy on users in a variety of ways. Mozilla updatedFirefox 16 to address security flaws and introduced a pre-loaded list of secure-only domains, while the makers of email server Exim released an emergency update.

Security firm Kindsight published its list of the top ten worst botnets in 2012, while security firm Stratasec warned that many cloud-computing providers were failing to monitor and block malicious traffic coming from their networks. This not only makes them a spawning ground for malware attacks and botnets, but paves the way for difficult situations such as the one in which over 50 Australian network operators were blamed for contributing to a three-week DDoS attack on a US company’s customers.

Meanwhile, the increasing trend towards infrastructure attacks led to US government warnings about insecure industrial control systems. Yet despite the warnings, hopes are fading that long-anticipated US-government cybersecurity legislation or executive orders will be released before the end of the year. The most leeway is being made by local efforts, such as California’s efforts to crack down on breaches of residents’ mobile privacy.

Given that enterprises have been completely unable to stop the spread of these and other nasties, one security figure is arguing that perimeter-based ideas about breach prevention are dead, and that the focus should be on managing breaches instead. Or, you can always just try to hit them harder: big-data security startup CrowdStrike hired an ex US Air Force colonel to drive its efforts to make targeted malware attacks easier to respond to.

The threat from that practice – controversial as it is – clearly didn’t deter Anonymous, which took on online-games giant Zynga, threatening to make some of its games available for free online if it didn’t back away from plans to offshore its development. It’s the latest in a trend towards high-profile hacks that are seeing data stolen and exploited for a broad range of purposes. The security stories people are sharing are enough to make the hairs on the back of your neck stand up. Then again, one Australian survey has suggested things aren’t nearly as bad as we’re being told. But maybe they just want you to believe that.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Google introduces Chrome 'factory reset' pop-ups to tackle extensions hijacks

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

ZENworks® Endpoint Security Management

Get powerful mobile security capabilities, and protect the data the various mobile devices inside your organization.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.