Week in security: FreeBSD hacked as Facebook, Adobe redouble security efforts
- — 28 November, 2012 10:08
Smart meters have long been a contentious issue in Australia and elsewhere, but some researchers warn that they're broadcasting unencrypted usage information that could be used to figure out whether you're at home or not.
Hacker group Anonymous has been launching waves of DDoS attacks on Israeli government and corporate Web sites in retaliation for the country's strikes against Gaza Strip targets. Also in the Middle East, researchers found yet another piece of malware that appears to be targeting Iran and, specifically, SQL databases.
In a move that hints it's taking security a little more seriously, Facebook is rolling out HTTPS to all of its users by default, winning praise from critics. HTTPS got a fillip from the release of HTTP Strict Transport Security, a new standard designed to boost website resiliency, while Facebook also scored a coup as Firefox added Facebook features into its new Firefox 17 browser.
Adobe has been managing so many patches for its Flash Player that it has synchronised its update schedule with Microsoft's Patch Tuesdays. That can't be a bad thing, since Microsoft is warning that automated exploit kits have been updated to exploit a Java Runtime Environment vulnerability disclosed by Oracle in October. One such Java exploit, the Skype-distributed Dorkbot, was reported to have hit 3.5m PCs in 30 days.
Also set to be concerned about security is anybody using the FreeBSD operating system, which has been compromised by hackers in a breach that's led the FreeBSD Project to advise anybody using the OS to completely reinstall their machines. Also in the sights was Linux, which has suffered a rootkit attack that has, security researchers warn, been designed to selectively infect victims in drive-by website attacks.
Hackers have found other ingenious ways of compromising security, with a new Symantec-discovered exploit found to be using Google Docs as a proxy for hiding malicious command-and-control traffic. Malware authors managed to put spoofed versions – which were subsequently removed – of Apple's Garage Band music software and iWork productivity suite onto Google's Play app store.
Meanwhile, US policymakers were rushing to assuage concerns that they were relaxing controls to manage authorities' access to email and other electronic communications. The demise of that country's cybersecurity bill, however, has indicated that presidential intervention may be necessary to clarify government policy.
Also on the privacy front, the governor of the US state of South Carolina hit out against US tax office shortcomings as the cause of a security breach that exposed the credit card, bank account and government social-services details of 3.8m taxpayers.
Whatever the cause, those authorities will be thankful they're not under the jurisdiction of proposed European legislation that would give authorities the power to levy fines of 2% of global turnover for privacy breaches; Facebook, unsurprisingly, hates the idea, even as it faces a legal threat over unsolicited advertising in the news feeds of its Scandinavian users. The social-networking giant also revoked users' rights to vote on policy changes because their comments in the past hadn't been good enough.
Google, for its part, destroyed data about New Zealand Wi-Fi networks collected during its Google Street View meanderings. The company's privacy approach was subsequently praised by privacy advocates, while the UK Information Commissioner's Office has offered a code of practice to help organisations guard personal privacy when publishing information into the public domain.
A convicted hacker plans to appeal his felony conviction for exposing a privacy weakness related to AT&T's iPad users, while a Maltese security firm said it's discovered a motherlode of SCADA vulnerabilities but will sell them to paying customers rather than telling the affected software vendors.
Amongst the usual flood of bad security news, researchers made a breakthrough as Toshiba reported it had found a way to send quantum encryption keys over an ordinary fibre connection. Whether or not that hastens the introduction of hack-proof computing for the masses remains to be seen, but it never hurts to hope.