The week in security: Security cracks galore as RBA hacked, Apple outed

Revelations that the Reserve Bank of Australia suffered a malware attack, back in 2011, had tongues wagging – not the least because customers, it turns out, are more concerned by the data security concerns of bank contact centres.

They would probably be even more concerned if they found out not only that their Facebook ‘likes’ were revealing too much about them, but that their financial information was publicly available through a credit-reporting site, as apparently happened to several well-known figures. Three retailers certainly were concerned, signing up for online-payment security services from Visa CyberSource.

Yet there’s no telling whether the average user would be happy or concerned about another security innovation that could find its way to banks: a Japanese team has suggested that over-the-shoulder attacks could be stopped by surrounding the PIN-entry field with dummy cursors to confuse onlookers and screen-capture malware.

In the US, the industry was weighing up the implications of president Barack Obama's government cyber security executive order, even as Colin Powell’s Facebook page was hacked and the government warned China to tone down cyber-attacks – which the government sees as a top threat to the US this year.

Commercial exploit kit Cool proved it’s a force to be reckoned with after adding a days-old zero-day flaw to its repertoire of attacks. Interestingly, Google’s Chrome OS also proved to be a force to be reckoned with after a hacking contest received no winning entries for the platform.

Less resistant to hacking were Adobe Flash, which was patched for the fifth time this year. Microsoft fixed a USB-related vulnerability and received mixed reviews after it pledged it would roll out Windows Store app patches as they’re available.

In the wake of ongoing security difficulties for Java, security of open-source software was also under scrutiny, while Google launched a site for Webmasters of hacked Web sites.

Revelations suggested Apple's App Store servers were leaving some information unencrypted, exposing users to several potential attacks – not that it would matter, after researchers improved a technique for extracting user data from an SSL stream. Apple was also one of several big-name tech companies – Facebook, Microsoft and Twitter were the others – confessing they had been hit with a targeted Trojan.

It’s hardly surprising app developers and app-store maintainers were warned by the EU to improve the security of user data. The DSD certified a mobile-sandbox security solution from Good Technology under its security-assessment program, while the AFP is pushing a multi-faceted user education campaign to reduce security incidents.

BlackBerry, for its part, extended the sandbox protections of its BlackBerry 10 operating system to iOS and Google Android. Yet even as we pay more attention to mobile app security, better mobile-security tools could backfire as they draw attention from hackers, we were warned. Also problematic are security appliances riddled with serious vulnerabilities.

Some were considering the privacy implications of DNA cross-matching, while security researchers warned about traffic chaos if hackers influence real-time traffic-flow-analysis systems. And one Seattle cafe decided the implications of Google Glass eyewear were so significant that it's banned the technology even before it's been released.

Speaking of uproars: advocacy group Reporters Without Borders was up in arms, naming five nations that it says spy on media and activists. On a similar note, prestigious Harvard University was trying to talk its way out of a report that university administrators had secretly accessed emails of 16 university deans.

The US government was warning citizens to apply an HP LaserJet printer firmware upgrade for a remote-execution vulnerability, while a New Zealand group of businesses was thinking far bigger as they agreed on voluntary standards for system security. It comes none too soon: hackers are now exploiting trusted VPN connections between suppliers and clients, security firm Mandiant warns.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

More about Adobe SystemsAppleBlackBerryBordersCSOEUFacebookGood TechnologyGoogleHarvard UniversityHPMicrosoftReserve Bank of AustraliaTechnologyVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts