The week in security: Government recruits cyber-army as hackers circumvent protections

Google is facing legal action in the UK over the way it undermines the Safari Web browser's privacy settings – somewhat ironic given the magnitude of its $US3.14159m prize for hacking its Chrome OS.

Also bypassing browser settings, but attracting no legal action at the moment, is Java – whose newly-improved security settings, reports suggest, have been successfully worked around. And Symantec was on the defensive after claims a weakness in its system had allowed hackers to circumvent its system in a cyberattack on The New York Times; peer and competitor The Wall Street Journal was also hit.

They weren't the only exploits doing the rounds: another piece of browser-hijacking malware disguises its back-to-base signals using the perfectly legitimate Sender Policy Framework (SPF) protocol. And another email attack exploits a vulnerability in Yahoo!'s site to hijack email accounts.

Such attacks continue to evade security protections, but many IT managers aren't helping either. Figures suggest that most organisations still haven't implemented DNS Security Extensions (DNSSEC), a fix for a major DNS flaw discovered five years ago.

The latest technology to come under fire is much closer to home, however: it was recently revealed that flaws in Universal Plug and Play (UPnP) had exposed millions of networked devices to attacks, with security consultants advising the protocol be disabled. Device makers were blamed for the vulnerability, which was later found to affect a Broadcom chipset and whose number of potential victims had been revised up to 50 million.

In an equally disturbing revelation, it emerged that Google has indexed over 86,000 publicly accessible printers at businesses, universities and other organisations around the world. It appears that nowhere is actually safe online, as a Cisco executive argued that online-shopping sites are as filled with nasties as even online gambling sites.

On the privacy front, the WhatsApp smartphone app may attract prosecution after an investigation found weaknesses in its handling of personal information; along similar lines, US authorities reached an $US800,000 settlement with social networking app Path, which was found to have collected personal information from children without parental consent.

No wonder the privacy-concerned are writing operating systems like Whonix, which takes every precaution to preserve online anonymity. Compare that with the new BlackBerry 10 OS, which has been weighed and measured by many, and found to be quite wanting. The mobile-privacy situation is bad enough that the US Federal Trade Commission has released a report recommending ways to improve consumers' visibility of the use of their data online.

Oracle won't be removing what critics call 'crapware' bundled with Java any time soon, the company confirmed even as it pulled forward a security patch incorporating fixes for 50 vulnerabilities. Far less burdened with crapware but equally vulnerable to attack, it appears, is Ruby on Rails, which has received its third security patch in under a month.

Government requests for personal data are ≤a href="http://www.cso.com.au/article/452069/twitter_transparency_report_shows_government_data_requests_rise/">on the rise, reports suggest, although it's not clear if the increase is related to a recruitment drive that will see the Pentagon creating thousands of new cybersecurity jobs. Critics say the hiring of 4000 cybersecurity experts isn't going to improve security appreciably – especially as long as brute-force DDoS attacks continue to increase their sophistication.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Hackers prepping for OpenSSL Heartbleed attacks

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Identity & Security Management

Identity and Security Management

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.