The week in security: Hackers tire of sex sites, get down to business

Analysts were warning about the potential for machine-to-machine (M2M) network connections to expose dangerous new opportunities for hackers. Mobiles also loom large in their plans, with the volume of mobile malware still small but the threat profile growing all the time and new avenues, such as a growing number of enterprise app stores, offering tantalising new possibilities. Others aren’t waiting to imagine the possibilities, with a new exploit allowing access to a locked iPhone 5’s contacts and photos, and another showing how to bypass the PIN code lock altogether.

China’s government rejected claims that it was behind cyber-attacks on US media outlets, while next door in Japan police were rejoicing after allegedly catching a man that had been sending them taunting clues via an SD card attached to a cat. Yet there may not be enough skilled people to execute such takedowns, if a UK National Audit Office report – which found the government is not training enough cyber security experts – is correct.

A list of the wildest security exploits ever makes interesting reading, with another contender – DaVinci surveillance malware, originally designed for law-enforcement use – now doing the rounds. Anonymous hoped to add to that list with a threat to bring down the live Web stream of Barack Obama’s State of the Union address, but they were unsuccessful in following through.

New attacks are helped along by poor security, and Yahoo was being skewered on this point after distributing a vulnerability-filled version of Java to small businesses. Microsoft scored a near-record 57 vulnerabilities patched in its latest Patch Tuesday update while preparing for the upcoming Pwn2Own hacking competition, even as a new zero-day PDF exploit targets Adobe Acrobat 9, 10, and 11 by bypassing its much-hyped ‘sandbox’ protections. Use of the ‘protected view’ offers stopgap protection, according to Adobe.

In another competition, organisers were hoping to improve password-hashing algorithms. Meanwhile, recent figures confirm hackers are behind most of the 2644 data breaches observed in 2012. Also interesting is the method of attack: sex sites, long a favourite of malware authors, have apparently been outpaced by IT sites as the most frequent targets for cyber crooks and China is no longer as dominant in the malware leader boards.

Retail operations were also getting extra love from cyber criminals during 2012, according to a study from Trustwave. Little wonder there’s strong support for new authentication mechanisms like one from the FIDO (Fast Identity Online) Alliance, which is aiming to improve online security for users and believes it has a viable alternative to passwords.

Their goal is to help manage access well before a serious breach – which, another analysis has found, may take months to spot. Despite optimism, the demise of passwords is still a long way away, analysts argue.

In the interim, a multi-vendor industry group is pushing to advocate security best-practice. The Certificate Authority Security Council (CASC) will focus on improving the usage of SSL (Secure Sockets Layer) technology on the Web.

Such efforts may improve access control, but a survey found that preventing data loss is the top priority for security professionals. Many have been sidelined by the onerous requirements of standards like PCI DSS.

For its part, the Obama administration claimed a victory in the cybercrime fight after Obama signed an executive order mandating that federal agencies share cyber threat information with private companies, but some analysts weren’t convinced it will have any real effect and others argued the real improvement would come when the order was followed by binding legislation. Lawmakers forced the point as they reintroduced a cyber-threat information-sharing bill.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.


Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Enterprise Virtualisation Security

Deep Security provides a comprehensive Server Security Platform giving organisations advanced protection for Physical, Virtual, and Cloud Servers.

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.