The week in security: Government recruits cyber-army as hackers circumvent protections

Google is facing legal action in the UK over the way it undermines the Safari Web browser's privacy settings – somewhat ironic given the magnitude of its $US3.14159m prize for hacking its Chrome OS.

Also bypassing browser settings, but attracting no legal action at the moment, is Java – whose newly-improved security settings, reports suggest, have been successfully worked around. And Symantec was on the defensive after claims a weakness in its system had allowed hackers to circumvent its system in a cyberattack on The New York Times; peer and competitor The Wall Street Journal was also hit.

They weren't the only exploits doing the rounds: another piece of browser-hijacking malware disguises its back-to-base signals using the perfectly legitimate Sender Policy Framework (SPF) protocol. And another email attack exploits a vulnerability in Yahoo!'s site to hijack email accounts.

Such attacks continue to evade security protections, but many IT managers aren't helping either. Figures suggest that most organisations still haven't implemented DNS Security Extensions (DNSSEC), a fix for a major DNS flaw discovered five years ago.

The latest technology to come under fire is much closer to home, however: it was recently revealed that flaws in Universal Plug and Play (UPnP) had exposed millions of networked devices to attacks, with security consultants advising the protocol be disabled. Device makers were blamed for the vulnerability, which was later found to affect a Broadcom chipset and whose number of potential victims had been revised up to 50 million.

In an equally disturbing revelation, it emerged that Google has indexed over 86,000 publicly accessible printers at businesses, universities and other organisations around the world. It appears that nowhere is actually safe online, as a Cisco executive argued that online-shopping sites are as filled with nasties as even online gambling sites.

On the privacy front, the WhatsApp smartphone app may attract prosecution after an investigation found weaknesses in its handling of personal information; along similar lines, US authorities reached an $US800,000 settlement with social networking app Path, which was found to have collected personal information from children without parental consent.

No wonder the privacy-concerned are writing operating systems like Whonix, which takes every precaution to preserve online anonymity. Compare that with the new BlackBerry 10 OS, which has been weighed and measured by many, and found to be quite wanting. The mobile-privacy situation is bad enough that the US Federal Trade Commission has released a report recommending ways to improve consumers' visibility of the use of their data online.

Oracle won't be removing what critics call 'crapware' bundled with Java any time soon, the company confirmed even as it pulled forward a security patch incorporating fixes for 50 vulnerabilities. Far less burdened with crapware but equally vulnerable to attack, it appears, is Ruby on Rails, which has received its third security patch in under a month.

Government requests for personal data are ≤a href="">on the rise, reports suggest, although it's not clear if the increase is related to a recruitment drive that will see the Pentagon creating thousands of new cybersecurity jobs. Critics say the hiring of 4000 cybersecurity experts isn't going to improve security appreciably – especially as long as brute-force DDoS attacks continue to increase their sophistication.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

More about BlackBerryBroadcomCiscoCSOFederal Trade CommissionGoogleOracleSymantecUS Federal Trade CommissionWall StreetYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts