The week in security: US Federal Reserve hacked as year of the exploit rolls on

Recent attacks on the New York Times and Wall Street Journal Web sites have proved nothing if not that information security efforts are still falling short, some have argued.

Witness the move by Anonymous to post the personal data of 4000 bankers online, or the separate attack by hackers on the US Federal Reserve System that also saw executive contact details stolen – an attack that highlights the problems federal agencies face in patching systems. Further investigation suggested the Federal Reserve site was likely the source for the 4000 bankers’ names, but the bank was refusing to give information away. And, in a separate incident, a hacker accessed personal information about the family of US presidents George H.W. Bush and George W. Bush. The incident was being taken as yet another lesson in the importance of having a strong password.

Leakage of personal information is exactly the kind of problem that the EU’s cybersecurity strategy, which was revealed on Thursday, is seeking to avoid. The legislation, which will mandate notification of data breaches and cyber security incidents to national authorities, but has come under fire from some. Yet the EU’s insistence on user privacy has, audits revealed, seen Facebook deleting all EU facial recognition data.

On a similar note, US authorities said a data-snooping bill was necessary but still needs work. Others were concerned that broad resistance to digital tracking could create issues for the Internet economy.

Singapore was making its own legal changes with amendments to the Computer Misuse Act, while US policy was updated to allow the US president to order pre-emptive cyberattacks on any country preparing to launch its own cyberwar against America; China is generally held to be the target of this particular change. Little wonder: researchers found that Chinese-authored malware had been designed to steal industrial secrets from unmanned military drone operators.

Oracle and Apple got into their own war of sorts after Apple declared Oracle’s Java to be persona non grata on Mac OS X. A subsequent Apple update to Java put the vulnerability-plagued platform back on the good list, even as it topped another list – the list of the most dangerous software flaws in 2012.

Meanwhile, Apple was hit on a different front as an untethered jailbreak for iOS 6 was released. Kaspersky hit itself by releasing a bad antivirus update that blocked users from accessing the Web, while Adobe released an emergency patch for its Flash Player after two zero-day bugs were discovered.

Also in the vulnerability realm, a flaw in Juniper networks routers was identified, while the Mega file-sharing service has launched a vulnerability reward program offering over $13,000 per serious security flaw that hackers find in its platform and report properly. There was no such promise from LogMeIn, which has launched a Dropbox competitor playing on its security credentials. Security firm Malwarebytes recently discovered malware being signed with a valid digital certificate.

No wonder 2012 was declared the ‘Year of the Exploit’ by security firm F-Secure. Internet Explorer flaws were fixed in two Patch Tuesday updates, while researchers are even finding new ways to attack Web standbys such as SSL encryption. F-Secure expects mobiles will become a new attack vector, which rival Kaspersky Lab corroborated after discovering an Android Trojan that launches attacks on PCs.

Microsoft research suggested that countries participating in international cybersecurity agreements tend to be hit with less malware. A Dutch man was sentenced to 12 years in a US prison after selling credit card details online.

There were some victories: Microsoft and Symantec took down the Bamital click-fraud botnet, then took the unprecedented step of notifying its victims. DMARC, a security framework designed to combat email phishing, marked its one-year anniversary. Yet even with the small victories comes new threats: a new exploit kit called Whitehole promises a new wave of malware for malicious cybercriminals.

Join the CSO newsletter!

Error: Please check your email address.

Tags hackersAnonymouscybersecuritypassword protectioonsecurity

More about Adobe SystemsAppleBushDropboxEUFacebookF-SecureJuniperKasperskyKasperskyLogMeInLogMeInMalwarebytesMicrosoftmobilesOracleSymantecUS Federal ReserveWall Street

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place