The week in security: Hackers tire of sex sites, get down to business

Analysts were warning about the potential for machine-to-machine (M2M) network connections to expose dangerous new opportunities for hackers. Mobiles also loom large in their plans, with the volume of mobile malware still small but the threat profile growing all the time and new avenues, such as a growing number of enterprise app stores, offering tantalising new possibilities. Others aren’t waiting to imagine the possibilities, with a new exploit allowing access to a locked iPhone 5’s contacts and photos, and another showing how to bypass the PIN code lock altogether.

China’s government rejected claims that it was behind cyber-attacks on US media outlets, while next door in Japan police were rejoicing after allegedly catching a man that had been sending them taunting clues via an SD card attached to a cat. Yet there may not be enough skilled people to execute such takedowns, if a UK National Audit Office report – which found the government is not training enough cyber security experts – is correct.

A list of the wildest security exploits ever makes interesting reading, with another contender – DaVinci surveillance malware, originally designed for law-enforcement use – now doing the rounds. Anonymous hoped to add to that list with a threat to bring down the live Web stream of Barack Obama’s State of the Union address, but they were unsuccessful in following through.

New attacks are helped along by poor security, and Yahoo was being skewered on this point after distributing a vulnerability-filled version of Java to small businesses. Microsoft scored a near-record 57 vulnerabilities patched in its latest Patch Tuesday update while preparing for the upcoming Pwn2Own hacking competition, even as a new zero-day PDF exploit targets Adobe Acrobat 9, 10, and 11 by bypassing its much-hyped ‘sandbox’ protections. Use of the ‘protected view’ offers stopgap protection, according to Adobe.

In another competition, organisers were hoping to improve password-hashing algorithms. Meanwhile, recent figures confirm hackers are behind most of the 2644 data breaches observed in 2012. Also interesting is the method of attack: sex sites, long a favourite of malware authors, have apparently been outpaced by IT sites as the most frequent targets for cyber crooks and China is no longer as dominant in the malware leader boards.

Retail operations were also getting extra love from cyber criminals during 2012, according to a study from Trustwave. Little wonder there’s strong support for new authentication mechanisms like one from the FIDO (Fast Identity Online) Alliance, which is aiming to improve online security for users and believes it has a viable alternative to passwords.

Their goal is to help manage access well before a serious breach – which, another analysis has found, may take months to spot. Despite optimism, the demise of passwords is still a long way away, analysts argue.

In the interim, a multi-vendor industry group is pushing to advocate security best-practice. The Certificate Authority Security Council (CASC) will focus on improving the usage of SSL (Secure Sockets Layer) technology on the Web.

Such efforts may improve access control, but a survey found that preventing data loss is the top priority for security professionals. Many have been sidelined by the onerous requirements of standards like PCI DSS.

For its part, the Obama administration claimed a victory in the cybercrime fight after Obama signed an executive order mandating that federal agencies share cyber threat information with private companies, but some analysts weren’t convinced it will have any real effect and others argued the real improvement would come when the order was followed by binding legislation. Lawmakers forced the point as they reintroduced a cyber-threat information-sharing bill.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

More about Adobe SystemsCSOMicrosoftNational Audit OfficeTrustwaveYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place