The week in security: Government recruits cyber-army as hackers circumvent protections
- — 06 February, 2013 14:46
Also bypassing browser settings, but attracting no legal action at the moment, is Java – whose newly-improved security settings, reports suggest, have been successfully worked around. And Symantec was on the defensive after claims a weakness in its system had allowed hackers to circumvent its system in a cyberattack on The New York Times; peer and competitor The Wall Street Journal was also hit.
They weren't the only exploits doing the rounds: another piece of browser-hijacking malware disguises its back-to-base signals using the perfectly legitimate Sender Policy Framework (SPF) protocol. And another email attack exploits a vulnerability in Yahoo!'s site to hijack email accounts.
Such attacks continue to evade security protections, but many IT managers aren't helping either. Figures suggest that most organisations still haven't implemented DNS Security Extensions (DNSSEC), a fix for a major DNS flaw discovered five years ago.
The latest technology to come under fire is much closer to home, however: it was recently revealed that flaws in Universal Plug and Play (UPnP) had exposed millions of networked devices to attacks, with security consultants advising the protocol be disabled. Device makers were blamed for the vulnerability, which was later found to affect a Broadcom chipset and whose number of potential victims had been revised up to 50 million.
In an equally disturbing revelation, it emerged that Google has indexed over 86,000 publicly accessible printers at businesses, universities and other organisations around the world. It appears that nowhere is actually safe online, as a Cisco executive argued that online-shopping sites are as filled with nasties as even online gambling sites.
On the privacy front, the WhatsApp smartphone app may attract prosecution after an investigation found weaknesses in its handling of personal information; along similar lines, US authorities reached an $US800,000 settlement with social networking app Path, which was found to have collected personal information from children without parental consent.
No wonder the privacy-concerned are writing operating systems like Whonix, which takes every precaution to preserve online anonymity. Compare that with the new BlackBerry 10 OS, which has been weighed and measured by many, and found to be quite wanting. The mobile-privacy situation is bad enough that the US Federal Trade Commission has released a report recommending ways to improve consumers' visibility of the use of their data online.
Oracle won't be removing what critics call 'crapware' bundled with Java any time soon, the company confirmed even as it pulled forward a security patch incorporating fixes for 50 vulnerabilities. Far less burdened with crapware but equally vulnerable to attack, it appears, is Ruby on Rails, which has received its third security patch in under a month.
Government requests for personal data are ≤a href="http://www.cso.com.au/article/452069/twitter_transparency_report_shows_government_data_requests_rise/">on the rise, reports suggest, although it's not clear if the increase is related to a recruitment drive that will see the Pentagon creating thousands of new cybersecurity jobs. Critics say the hiring of 4000 cybersecurity experts isn't going to improve security appreciably – especially as long as brute-force DDoS attacks continue to increase their sophistication.