The week in security: APTs up, skills down as Facebook Home ban advised

Perpetrators of advanced persistent attacks (APTs) are getting more evasive and persistent, observers warn, even as Scottish security startup Inquisitive Systems received £500,000 ($732,880) to fight APTs. SQL injection flaws are also proving problematic, a Veracode report suggested, in that they are both easy to find and easy to exploit.

Others were concerned about the security implications of the new Facebook Home overlay for Android smartphones, which is likely to make its way into more than a few companies via employees’ Android proclivities (read some Facebook Home privacy facts here) and the lack of user education around such issues.

Mobiles are already known to view more private data than is necessary – prompting a warning from the EU that improving user experience isn’t a justification for use of consumer information – and the use of a botnet-for-hire to boost Android malware spamming doesn’t help either.

Yet even as news leaks that the US Air Force has reclassified cyber tools as weapons, law enforcement agencies may have similar concerns from iOS devices as they come to realise they can’t decrypt Apple’s encrypted iMessage communications service.

That’s not the only place where encryption is proving to be an issue: cloud encryption is moving from fiction to “actionable reality”, according to one security researcher, while reports suggest the creator of Secure Shell (SSH) encryption is working on a follow-up. Yet Gartner argues that it will be a “long hard climb” to boost cloud security to acceptable and universal levels, and that executives must show their real security interest by supporting appropriate security spending in a time of IT budget stagnation.

It’s certainly not helping things to note that hackers are finding new uses for a variety of common technologies: wireless IP cameras, for example, are open to hijacking over the Internet, while everything from electric car chargers to jet flight simulators to the high-end Canon EOS-1D X camera can be repurposed for other means. Twitter’s OAuth feature can be abused to hijack accounts, while online poker applications have been breached. Even smart water meter trials are being executed with security in mind.

US public companies’ filings suggest there are some inconsistent messages around the real extent of cybersecurity threats, while a new online library published by WikiLeaks is offering an historical repository of millions of Kissinger-era intelligence cables.

Speaking of old technology, some experts warn that many large businesses will still be using antiquated Windows XP desktops well after support for the platform is ceased altogether. This, compounded by a continuing security skills shortage, reflects the need to keep on top of cyberskills deficiencies – as will the formation of a new Oxford University cyber-security research centre designed to support a global program for cyber defence.

Companies concerned about security and vulnerability assessment should watch out for four common mistakes. One more thing to watch out for is the lack of control over mobile device environments, although startup Averail has launched its effort in this respect with a container and security auditing technology for iPads.

Technological changes abounded as Mozilla moved to block third-party cookies by default, Microsoft’s latest Patch Tuesday left an Internet Explorer zero-day untouched, and Ubisoft took its Uplay service offline until it fixes a security issue that lets hackers download games.

Although there was some dispute about the impact of an Anonymous cyberattack on Israel, there was less disagreement over the punishment for a carder involved in the 2008 RBS WorldPay ATM heist, who was given a prison sentence of over seven years.

He’s not the only one targeting banks, however: the Skylock bank information-stealing Trojan has been upgraded with new capabilities, according to a Symantec report. The Bitcoin virtual currency suffered striking fluctuations in value after software couldn’t keep up with an influx of new buyers. And, yet, some hackers are broadening their horizons, with supply chain systems apparently proving tempting for some.

A US House Intelligence Panel has voted 18-2 to OK the controversial CISPA information-sharing bill after a closed-door meeting – attracting ire from critics who argue it’s still mainly about government surveillance. The White House has said it won’t support CISPA in its current form, while UK authorities had other issues on their minds after noting a Ministry of Justice database access hole was reported to an Opposition MP.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleCanonCSOEarthwaveEarthwaveEUFacebookGartnerMicrosoftmobilesMozillaSSHSymantecUbisoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place