The week in security: Hackers tire of sex sites, get down to business
- — 19 February, 2013 12:07
Analysts were warning about the potential for machine-to-machine (M2M) network connections to expose dangerous new opportunities for hackers. Mobiles also loom large in their plans, with the volume of mobile malware still small but the threat profile growing all the time and new avenues, such as a growing number of enterprise app stores, offering tantalising new possibilities. Others aren’t waiting to imagine the possibilities, with a new exploit allowing access to a locked iPhone 5’s contacts and photos, and another showing how to bypass the PIN code lock altogether.
China’s government rejected claims that it was behind cyber-attacks on US media outlets, while next door in Japan police were rejoicing after allegedly catching a man that had been sending them taunting clues via an SD card attached to a cat. Yet there may not be enough skilled people to execute such takedowns, if a UK National Audit Office report – which found the government is not training enough cyber security experts – is correct.
A list of the wildest security exploits ever makes interesting reading, with another contender – DaVinci surveillance malware, originally designed for law-enforcement use – now doing the rounds. Anonymous hoped to add to that list with a threat to bring down the live Web stream of Barack Obama’s State of the Union address, but they were unsuccessful in following through.
New attacks are helped along by poor security, and Yahoo was being skewered on this point after distributing a vulnerability-filled version of Java to small businesses. Microsoft scored a near-record 57 vulnerabilities patched in its latest Patch Tuesday update while preparing for the upcoming Pwn2Own hacking competition, even as a new zero-day PDF exploit targets Adobe Acrobat 9, 10, and 11 by bypassing its much-hyped ‘sandbox’ protections. Use of the ‘protected view’ offers stopgap protection, according to Adobe.
In another competition, organisers were hoping to improve password-hashing algorithms. Meanwhile, recent figures confirm hackers are behind most of the 2644 data breaches observed in 2012. Also interesting is the method of attack: sex sites, long a favourite of malware authors, have apparently been outpaced by IT sites as the most frequent targets for cyber crooks and China is no longer as dominant in the malware leader boards.
Retail operations were also getting extra love from cyber criminals during 2012, according to a study from Trustwave. Little wonder there’s strong support for new authentication mechanisms like one from the FIDO (Fast Identity Online) Alliance, which is aiming to improve online security for users and believes it has a viable alternative to passwords.
Their goal is to help manage access well before a serious breach – which, another analysis has found, may take months to spot. Despite optimism, the demise of passwords is still a long way away, analysts argue.
In the interim, a multi-vendor industry group is pushing to advocate security best-practice. The Certificate Authority Security Council (CASC) will focus on improving the usage of SSL (Secure Sockets Layer) technology on the Web.
Such efforts may improve access control, but a survey found that preventing data loss is the top priority for security professionals. Many have been sidelined by the onerous requirements of standards like PCI DSS.
For its part, the Obama administration claimed a victory in the cybercrime fight after Obama signed an executive order mandating that federal agencies share cyber threat information with private companies, but some analysts weren’t convinced it will have any real effect and others argued the real improvement would come when the order was followed by binding legislation. Lawmakers forced the point as they reintroduced a cyber-threat information-sharing bill.