The week in security: US Federal Reserve hacked as year of the exploit rolls on
- — 12 February, 2013 09:26
Recent attacks on the New York Times and Wall Street Journal Web sites have proved nothing if not that information security efforts are still falling short, some have argued.
Witness the move by Anonymous to post the personal data of 4000 bankers online, or the separate attack by hackers on the US Federal Reserve System that also saw executive contact details stolen – an attack that highlights the problems federal agencies face in patching systems. Further investigation suggested the Federal Reserve site was likely the source for the 4000 bankers’ names, but the bank was refusing to give information away. And, in a separate incident, a hacker accessed personal information about the family of US presidents George H.W. Bush and George W. Bush. The incident was being taken as yet another lesson in the importance of having a strong password.
Leakage of personal information is exactly the kind of problem that the EU’s cybersecurity strategy, which was revealed on Thursday, is seeking to avoid. The legislation, which will mandate notification of data breaches and cyber security incidents to national authorities, but has come under fire from some. Yet the EU’s insistence on user privacy has, audits revealed, seen Facebook deleting all EU facial recognition data.
On a similar note, US authorities said a data-snooping bill was necessary but still needs work. Others were concerned that broad resistance to digital tracking could create issues for the Internet economy.
Singapore was making its own legal changes with amendments to the Computer Misuse Act, while US policy was updated to allow the US president to order pre-emptive cyberattacks on any country preparing to launch its own cyberwar against America; China is generally held to be the target of this particular change. Little wonder: researchers found that Chinese-authored malware had been designed to steal industrial secrets from unmanned military drone operators.
Oracle and Apple got into their own war of sorts after Apple declared Oracle’s Java to be persona non grata on Mac OS X. A subsequent Apple update to Java put the vulnerability-plagued platform back on the good list, even as it topped another list – the list of the most dangerous software flaws in 2012.
Meanwhile, Apple was hit on a different front as an untethered jailbreak for iOS 6 was released. Kaspersky hit itself by releasing a bad antivirus update that blocked users from accessing the Web, while Adobe released an emergency patch for its Flash Player after two zero-day bugs were discovered.
Also in the vulnerability realm, a flaw in Juniper networks routers was identified, while the Mega file-sharing service has launched a vulnerability reward program offering over $13,000 per serious security flaw that hackers find in its platform and report properly. There was no such promise from LogMeIn, which has launched a Dropbox competitor playing on its security credentials. Security firm Malwarebytes recently discovered malware being signed with a valid digital certificate.
No wonder 2012 was declared the ‘Year of the Exploit’ by security firm F-Secure. Internet Explorer flaws were fixed in two Patch Tuesday updates, while researchers are even finding new ways to attack Web standbys such as SSL encryption. F-Secure expects mobiles will become a new attack vector, which rival Kaspersky Lab corroborated after discovering an Android Trojan that launches attacks on PCs.
Microsoft research suggested that countries participating in international cybersecurity agreements tend to be hit with less malware. A Dutch man was sentenced to 12 years in a US prison after selling credit card details online.
There were some victories: Microsoft and Symantec took down the Bamital click-fraud botnet, then took the unprecedented step of notifying its victims. DMARC, a security framework designed to combat email phishing, marked its one-year anniversary. Yet even with the small victories comes new threats: a new exploit kit called Whitehole promises a new wave of malware for malicious cybercriminals.