The week in security: US Federal Reserve hacked as year of the exploit rolls on

Recent attacks on the New York Times and Wall Street Journal Web sites have proved nothing if not that information security efforts are still falling short, some have argued.

Witness the move by Anonymous to post the personal data of 4000 bankers online, or the separate attack by hackers on the US Federal Reserve System that also saw executive contact details stolen – an attack that highlights the problems federal agencies face in patching systems. Further investigation suggested the Federal Reserve site was likely the source for the 4000 bankers’ names, but the bank was refusing to give information away. And, in a separate incident, a hacker accessed personal information about the family of US presidents George H.W. Bush and George W. Bush. The incident was being taken as yet another lesson in the importance of having a strong password.

Leakage of personal information is exactly the kind of problem that the EU’s cybersecurity strategy, which was revealed on Thursday, is seeking to avoid. The legislation, which will mandate notification of data breaches and cyber security incidents to national authorities, but has come under fire from some. Yet the EU’s insistence on user privacy has, audits revealed, seen Facebook deleting all EU facial recognition data.

On a similar note, US authorities said a data-snooping bill was necessary but still needs work. Others were concerned that broad resistance to digital tracking could create issues for the Internet economy.

Singapore was making its own legal changes with amendments to the Computer Misuse Act, while US policy was updated to allow the US president to order pre-emptive cyberattacks on any country preparing to launch its own cyberwar against America; China is generally held to be the target of this particular change. Little wonder: researchers found that Chinese-authored malware had been designed to steal industrial secrets from unmanned military drone operators.

Oracle and Apple got into their own war of sorts after Apple declared Oracle’s Java to be persona non grata on Mac OS X. A subsequent Apple update to Java put the vulnerability-plagued platform back on the good list, even as it topped another list – the list of the most dangerous software flaws in 2012.

Meanwhile, Apple was hit on a different front as an untethered jailbreak for iOS 6 was released. Kaspersky hit itself by releasing a bad antivirus update that blocked users from accessing the Web, while Adobe released an emergency patch for its Flash Player after two zero-day bugs were discovered.

Also in the vulnerability realm, a flaw in Juniper networks routers was identified, while the Mega file-sharing service has launched a vulnerability reward program offering over $13,000 per serious security flaw that hackers find in its platform and report properly. There was no such promise from LogMeIn, which has launched a Dropbox competitor playing on its security credentials. Security firm Malwarebytes recently discovered malware being signed with a valid digital certificate.

No wonder 2012 was declared the ‘Year of the Exploit’ by security firm F-Secure. Internet Explorer flaws were fixed in two Patch Tuesday updates, while researchers are even finding new ways to attack Web standbys such as SSL encryption. F-Secure expects mobiles will become a new attack vector, which rival Kaspersky Lab corroborated after discovering an Android Trojan that launches attacks on PCs.

Microsoft research suggested that countries participating in international cybersecurity agreements tend to be hit with less malware. A Dutch man was sentenced to 12 years in a US prison after selling credit card details online.

There were some victories: Microsoft and Symantec took down the Bamital click-fraud botnet, then took the unprecedented step of notifying its victims. DMARC, a security framework designed to combat email phishing, marked its one-year anniversary. Yet even with the small victories comes new threats: a new exploit kit called Whitehole promises a new wave of malware for malicious cybercriminals.

Tags: Anonymous, hackers, password protectioon, cybersecurity, security

Today's Approach to Security is Broken

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

SECURE Web Gateway

Balancing the requirement for strong network security with the need to harness collaborative web technologies is essential for business growth.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.