Week in security: Picking the real threats after the year of the data breach

The year 2012 has been named ‘the year of the data breach’ after a string of high-profile hacks and the unintentional release of government-held information.

It was also the year in which the high-profile Click Frenzy online-shopping experiment spectacularly crashed and burned in its early hours before recovering. It didn't fail because of a security breach, but the less-than-stellar debut of the Click Frenzy online-shopping experiment still has lessons for IT security professionals in best-practice implementations.

It's rare these days to hear about hacking becoming less common, but that's apparently what's happening on Skype, which has been successfully fighting scammers abusing the Microsoft-owned service. That hasn't stopped the attacks, however, with a Trojan bundled into a fake news.com.au report claiming Australia will be devastated by a tsunami on New Year's Eve.

One researcher found over 20 vulnerabilities in SCADA software controlling industrial systems – and found them easily – while others were advising that new database-targeting malware does not pose a real threat to Iranian businesses.

Also not posing a threat will be LulzSec hacker Jeremy Hammond, who has been denied bail and placed on a terrorist watch list. Romanian authorities also claimed a scalp, dismantling a cybercrime ring that ran up a $US25m bill using other people’s credit cards. And, also on the financial-losses front, a construction company and bank settled a dispute over a $US345,000 online banking theft.

Romanian authorities were also busy dealing with a hack attack on the .ro domains of Google, Microsoft, Yahoo and others, in which the sites were redirected to a less savoury target in the Netherlands. Yet while domain redirection remains an ongoing threat, ‘spear phishing’ is also growing as a mode of attack as email attachments maintain their role as malware couriers.

Cloud security was on the menu as always, with the US government approving privacy protections for cloud-stored email and documents. Hackers figured out a way to steal cloud-computing time using mobile devices, and PGP Corp founder Phil Dunkelberger now turning his hand to a new form of cloud-based authentication.

That's just one part of the process of building a secure place in the cloud for critical data – which, many privacy advocates fear, does not include Facebook; they’re pushing back against privacy-policy changes that would reduce users’ roles in determining how privacy is managed. Facebook may get even more pressure to change its data-sharing plans, however, after the Irish government stepped in with a few questions of its own.

Interestingly, a poll has found that users – who are supposedly highly concerned about privacy – may be less concerned about it if Internet Explorer 10’s Do Not Track feature interferes with the convenience of their passwords and autofills. Speaking of reducing users’ roles in privacy, US-CERT has warned that Samsung printers have a hardcoded administrator account that makes them vulnerable to attack and remote control. Ditto the installer for Web analytics platform Piwik, which was compromised by an unknown attacker.

Responses to such problems may be compromised by differences of opinion between CERTS and police, but Samsung wasted no time in issuing a fix for the security problem.

With such exploits both common and potentially disastrous, a number of vendors are working to secure such privileged-access accounts. They may need to broaden their scope: a string of hotel break-ins in the US city of Houston is being blamed on a door-lock exploit revealed earlier this year at the Black Hat security conference. Political targets got their share of hacker love as the International Atomic Energy Agency was compromised and a large number of nuclear experts’ email addresses leaked by hackers. US police are exploring how sensitive documents with details of a visit by presidential candidate Mitt Romney ended up being shredded and spread across a New York street.

Meanwhile, the European Union has boosted its cybersecurity budgetby 14 percent, while security firm Imperva has suggested that antivirus software is now so ineffective that most businesses could probably boost their own budgets by simply not buying it. That may be unlikely in practice, however, with forecasts suggesting global information-security spending will reach $US17.14 billion by 2017 as CIOs make security an enterprise necessity.

There’s no mention of how much of that will come from Syria, where the entire country suffered an apparently government-imposed, two-day Internet blackout. The move incurred the wrath of Anonymous, which has vowed to bring the Syrian government’s online presence to its knees. Yet some observers are becoming more and more sceptical, with one expert suggesting that the so-called ‘cybergeddon’ is most likely to be caused by a ‘glorious cock-up’ rather than a state-sponsored cyber attack.

Heartbleed bug is irritating McAfee, Symantec, Kaspersky Lab

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Open Space Security Suite

Kaspersky Open Space Security provides complete business protection in a single integrated suite of applications that work seamlessly across all platforms.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.