Week in security: Picking the real threats after the year of the data breach
- — 03 December, 2012 15:51
The year 2012 has been named ‘the year of the data breach’ after a string of high-profile hacks and the unintentional release of government-held information.
It was also the year in which the high-profile Click Frenzy online-shopping experiment spectacularly crashed and burned in its early hours before recovering. It didn't fail because of a security breach, but the less-than-stellar debut of the Click Frenzy online-shopping experiment still has lessons for IT security professionals in best-practice implementations.
It's rare these days to hear about hacking becoming less common, but that's apparently what's happening on Skype, which has been successfully fighting scammers abusing the Microsoft-owned service. That hasn't stopped the attacks, however, with a Trojan bundled into a fake news.com.au report claiming Australia will be devastated by a tsunami on New Year's Eve.
One researcher found over 20 vulnerabilities in SCADA software controlling industrial systems – and found them easily – while others were advising that new database-targeting malware does not pose a real threat to Iranian businesses.
Also not posing a threat will be LulzSec hacker Jeremy Hammond, who has been denied bail and placed on a terrorist watch list. Romanian authorities also claimed a scalp, dismantling a cybercrime ring that ran up a $US25m bill using other people’s credit cards. And, also on the financial-losses front, a construction company and bank settled a dispute over a $US345,000 online banking theft.
Romanian authorities were also busy dealing with a hack attack on the .ro domains of Google, Microsoft, Yahoo and others, in which the sites were redirected to a less savoury target in the Netherlands. Yet while domain redirection remains an ongoing threat, ‘spear phishing’ is also growing as a mode of attack as email attachments maintain their role as malware couriers.
Cloud security was on the menu as always, with the US government approving privacy protections for cloud-stored email and documents. Hackers figured out a way to steal cloud-computing time using mobile devices, and PGP Corp founder Phil Dunkelberger now turning his hand to a new form of cloud-based authentication.
That's just one part of the process of building a secure place in the cloud for critical data – which, many privacy advocates fear, does not include Facebook; they’re pushing back against privacy-policy changes that would reduce users’ roles in determining how privacy is managed. Facebook may get even more pressure to change its data-sharing plans, however, after the Irish government stepped in with a few questions of its own.
Interestingly, a poll has found that users – who are supposedly highly concerned about privacy – may be less concerned about it if Internet Explorer 10’s Do Not Track feature interferes with the convenience of their passwords and autofills. Speaking of reducing users’ roles in privacy, US-CERT has warned that Samsung printers have a hardcoded administrator account that makes them vulnerable to attack and remote control. Ditto the installer for Web analytics platform Piwik, which was compromised by an unknown attacker.
With such exploits both common and potentially disastrous, a number of vendors are working to secure such privileged-access accounts. They may need to broaden their scope: a string of hotel break-ins in the US city of Houston is being blamed on a door-lock exploit revealed earlier this year at the Black Hat security conference. Political targets got their share of hacker love as the International Atomic Energy Agency was compromised and a large number of nuclear experts’ email addresses leaked by hackers. US police are exploring how sensitive documents with details of a visit by presidential candidate Mitt Romney ended up being shredded and spread across a New York street.
Meanwhile, the European Union has boosted its cybersecurity budgetby 14 percent, while security firm Imperva has suggested that antivirus software is now so ineffective that most businesses could probably boost their own budgets by simply not buying it. That may be unlikely in practice, however, with forecasts suggesting global information-security spending will reach $US17.14 billion by 2017 as CIOs make security an enterprise necessity.
There’s no mention of how much of that will come from Syria, where the entire country suffered an apparently government-imposed, two-day Internet blackout. The move incurred the wrath of Anonymous, which has vowed to bring the Syrian government’s online presence to its knees. Yet some observers are becoming more and more sceptical, with one expert suggesting that the so-called ‘cybergeddon’ is most likely to be caused by a ‘glorious cock-up’ rather than a state-sponsored cyber attack.