The week in security: APTs up, skills down as Facebook Home ban advised

Perpetrators of advanced persistent attacks (APTs) are getting more evasive and persistent, observers warn, even as Scottish security startup Inquisitive Systems received £500,000 ($732,880) to fight APTs. SQL injection flaws are also proving problematic, a Veracode report suggested, in that they are both easy to find and easy to exploit.

Others were concerned about the security implications of the new Facebook Home overlay for Android smartphones, which is likely to make its way into more than a few companies via employees’ Android proclivities (read some Facebook Home privacy facts here) and the lack of user education around such issues.

Mobiles are already known to view more private data than is necessary – prompting a warning from the EU that improving user experience isn’t a justification for use of consumer information – and the use of a botnet-for-hire to boost Android malware spamming doesn’t help either.

Yet even as news leaks that the US Air Force has reclassified cyber tools as weapons, law enforcement agencies may have similar concerns from iOS devices as they come to realise they can’t decrypt Apple’s encrypted iMessage communications service.

That’s not the only place where encryption is proving to be an issue: cloud encryption is moving from fiction to “actionable reality”, according to one security researcher, while reports suggest the creator of Secure Shell (SSH) encryption is working on a follow-up. Yet Gartner argues that it will be a “long hard climb” to boost cloud security to acceptable and universal levels, and that executives must show their real security interest by supporting appropriate security spending in a time of IT budget stagnation.

It’s certainly not helping things to note that hackers are finding new uses for a variety of common technologies: wireless IP cameras, for example, are open to hijacking over the Internet, while everything from electric car chargers to jet flight simulators to the high-end Canon EOS-1D X camera can be repurposed for other means. Twitter’s OAuth feature can be abused to hijack accounts, while online poker applications have been breached. Even smart water meter trials are being executed with security in mind.

US public companies’ filings suggest there are some inconsistent messages around the real extent of cybersecurity threats, while a new online library published by WikiLeaks is offering an historical repository of millions of Kissinger-era intelligence cables.

Speaking of old technology, some experts warn that many large businesses will still be using antiquated Windows XP desktops well after support for the platform is ceased altogether. This, compounded by a continuing security skills shortage, reflects the need to keep on top of cyberskills deficiencies – as will the formation of a new Oxford University cyber-security research centre designed to support a global program for cyber defence.

Companies concerned about security and vulnerability assessment should watch out for four common mistakes. One more thing to watch out for is the lack of control over mobile device environments, although startup Averail has launched its effort in this respect with a container and security auditing technology for iPads.

Technological changes abounded as Mozilla moved to block third-party cookies by default, Microsoft’s latest Patch Tuesday left an Internet Explorer zero-day untouched, and Ubisoft took its Uplay service offline until it fixes a security issue that lets hackers download games.

Although there was some dispute about the impact of an Anonymous cyberattack on Israel, there was less disagreement over the punishment for a carder involved in the 2008 RBS WorldPay ATM heist, who was given a prison sentence of over seven years.

He’s not the only one targeting banks, however: the Skylock bank information-stealing Trojan has been upgraded with new capabilities, according to a Symantec report. The Bitcoin virtual currency suffered striking fluctuations in value after software couldn’t keep up with an influx of new buyers. And, yet, some hackers are broadening their horizons, with supply chain systems apparently proving tempting for some.

A US House Intelligence Panel has voted 18-2 to OK the controversial CISPA information-sharing bill after a closed-door meeting – attracting ire from critics who argue it’s still mainly about government surveillance. The White House has said it won’t support CISPA in its current form, while UK authorities had other issues on their minds after noting a Ministry of Justice database access hole was reported to an Opposition MP.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleCanonCSOEarthwaveEarthwaveEUFacebookGartnerMicrosoftmobilesMozillaSSHSymantecUbisoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

More videos

Blog Posts