Week in security: FreeBSD hacked as Facebook, Adobe redouble security efforts

Smart meters have long been a contentious issue in Australia and elsewhere, but some researchers warn that they're broadcasting unencrypted usage information that could be used to figure out whether you're at home or not.

That capability might be useful for authorities pursuing McAfee founder John McAfee, who is wanted for murder and has launched a blog to defend himself – and to taunt police while he avoids capture.

Hacker group Anonymous has been launching waves of DDoS attacks on Israeli government and corporate Web sites in retaliation for the country's strikes against Gaza Strip targets. Also in the Middle East, researchers found yet another piece of malware that appears to be targeting Iran and, specifically, SQL databases.

In a move that hints it's taking security a little more seriously, Facebook is rolling out HTTPS to all of its users by default, winning praise from critics. HTTPS got a fillip from the release of HTTP Strict Transport Security, a new standard designed to boost website resiliency, while Facebook also scored a coup as Firefox added Facebook features into its new Firefox 17 browser.

Adobe has been managing so many patches for its Flash Player that it has synchronised its update schedule with Microsoft's Patch Tuesdays. That can't be a bad thing, since Microsoft is warning that automated exploit kits have been updated to exploit a Java Runtime Environment vulnerability disclosed by Oracle in October. One such Java exploit, the Skype-distributed Dorkbot, was reported to have hit 3.5m PCs in 30 days.

Also set to be concerned about security is anybody using the FreeBSD operating system, which has been compromised by hackers in a breach that's led the FreeBSD Project to advise anybody using the OS to completely reinstall their machines. Also in the sights was Linux, which has suffered a rootkit attack that has, security researchers warn, been designed to selectively infect victims in drive-by website attacks.

Hackers have found other ingenious ways of compromising security, with a new Symantec-discovered exploit found to be using Google Docs as a proxy for hiding malicious command-and-control traffic. Malware authors managed to put spoofed versions – which were subsequently removed – of Apple's Garage Band music software and iWork productivity suite onto Google's Play app store.

Meanwhile, US policymakers were rushing to assuage concerns that they were relaxing controls to manage authorities' access to email and other electronic communications. The demise of that country's cybersecurity bill, however, has indicated that presidential intervention may be necessary to clarify government policy.

Also on the privacy front, the governor of the US state of South Carolina hit out against US tax office shortcomings as the cause of a security breach that exposed the credit card, bank account and government social-services details of 3.8m taxpayers.

Whatever the cause, those authorities will be thankful they're not under the jurisdiction of proposed European legislation that would give authorities the power to levy fines of 2% of global turnover for privacy breaches; Facebook, unsurprisingly, hates the idea, even as it faces a legal threat over unsolicited advertising in the news feeds of its Scandinavian users. The social-networking giant also revoked users' rights to vote on policy changes because their comments in the past hadn't been good enough.

Google, for its part, destroyed data about New Zealand Wi-Fi networks collected during its Google Street View meanderings. The company's privacy approach was subsequently praised by privacy advocates, while the UK Information Commissioner's Office has offered a code of practice to help organisations guard personal privacy when publishing information into the public domain.

A convicted hacker plans to appeal his felony conviction for exposing a privacy weakness related to AT&T's iPad users, while a Maltese security firm said it's discovered a motherlode of SCADA vulnerabilities but will sell them to paying customers rather than telling the affected software vendors.

Amongst the usual flood of bad security news, researchers made a breakthrough as Toshiba reported it had found a way to send quantum encryption keys over an ordinary fibre connection. Whether or not that hastens the introduction of hack-proof computing for the masses remains to be seen, but it never hurts to hope.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

More about Adobe SystemsAppleAT&TAT&TCSOFacebookGoogleLinuxMcAfee AustraliaMicrosoftOracleSkypeSmartSymantecToshiba

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts