The week in security: AFP arrests LulzSec hacker, security arresting BYOD planning

Security researchers were surprised to discover that the malware baddies had gone to the unprecedented effort of creating an entirely new online advertisement distribution network, called BadNews, which burrowed its way through Google Play’s security defences by laying dormant for weeks before distributing malware millions of times by sending fake update notifications.

Little wonder security experts are warning that Android’s “fundamentally broken” security model is making bring your own device (BYOD) strategies too risky to be considered; news that Samsung has delayed its Knox Android security software can’t help either.

On a similar note, some companies are revisiting their BYOD policies to ensure they don’t get hit with lawsuits from employees who feel their privacy has been violated by BYOD security controls. Even giant telco BT is “struggling” with the trend. You DO have a BYOD policy in place, right? As shown by the Australian Federal Police arrest of a 24-year-old IT security specialist alleged to be a key member of the LulzSec hacking group, effective management of security teams is critical. Does your company understand business goals in a security context, and is your security team flexible enough to quickly and positively respond to criticisms? Not all are, and some warn that lack of flexibility may be an indicator of worse things to come as good security talent becomes harder to find.

Also an indicator of worse things to come are figures from Verizon’s latest cyber-security report, whose findings include nuggets such as that one in five data breaches are due to cyberespionage and that China continues to dominate as a source of the attacks. Meanwhile, an Islamic hacktivist group continues to hammer US banks and other financial services companies with DDoS attacks. Clearly, we have a lot of work ahead of us – especially since statistics suggest we are being hit on the same TCP/IP ports, over and over again. Perhaps there is value in learning from crowd-sourced attack data, as implemented by new tools from security firm Imperva. Companies managing users’ data need to be vigilant about how it’s collected, with Apple spelling out its privacy policy for data collected using its Siri voice assistant and the German government fined Google $US190,000 ($A185,000) for gathering a variety of information from unprotected WiFi networks using its Google Street View cars. Coincidentally, Microsoft has launched a new campaign to fete its privacy credentials, with the catchphrase “your privacy is our priority”. Perhaps the UK Inland Revenue department could take note, after revelations it accidentally misdirected 201 emails to the wrong people.

Yet not all parties love better privacy controls: Mozilla is copping flak from advertisers for allowing Internet users to opt out of behavioural tracking. Also fingered in privacy controversy is the Google Glass augmented-reality glasses, but CEO Eric Schmidt stepped in to point out that the wearable computer is still a year away from release. That gives privacy lobbyists more time to build up their arguments around the technology’s privacy implications – as they have done around the UK’s so-called ‘Snoopers’ Charter’, which was dumped after concerns – although a tepid response to the progressing Cyber Intelligence Sharing and Protection Act (CISPA), which itself seems doomed to fail, suggests they need to improve their organising capabilities first.

Perhaps they need not fear having nothing to rally people around: the US Department of Homeland Security (DHS) is reportedly preparing a more powerful version of its EINSTEIN intrusion-detection system that uses deep-packet inspection to detect malware attacks and stress out privacy advocates all in the one go, even though a US Senate committee has approved legislation to protect citizens from government surveillance of cloud-hosted data. Yet even as a US judge supports privacy by rejecting an FBI request to hack the computer of a suspected cyber-criminal, privacy advocates are already up in arms over proposed changes to European data protection laws, which they say would strip citizens of their privacy rights. That gels with the mission of Adobe Systems’ first CSO, Brad Arkin, whose first priority is the security of the vendor’s hosted services. He couldn’t be more timely, with warnings that hackers are increasingly targeting shared Web hosting servers as launching pads for mass phishing attacks.

New Boeing technology promises to unify business IT networks with traditionally-separate industrial-control systems, while new malware is showing the risks of too much access by targeting Dutch Twitter users with malware that hijacks their accounts and sends dangerous links. The hijacking of the Associated Press Twitter account reinforced the need for better authentication – and Twitter obliged with acknowledgement that it’s working on a two-step authentication solution in a trend that’s set to become more common as users learn more about it and vendors release new solutions.

A serious flaw in the latest Java Runtime Environment is said to affect desktop and server versions of the code, while security firm FireEye says cyber-spying tool Gh0st RAT is still being used in stealthy malware attacks and malware from the Operation Beebus cyberattacks is still proving to be active.

The cybersecurity threat is getting so bad that the UK government is offering small businesses £5000 ($A7531) to improve their cyber security by hiring outside security consultants. Australian startup Bugcrowd has tried another tack, negotiating continuing professional education (CPE) points for security professionals who participate in communal bug-finding competitions, which are bringing new legitimacy and scale to penetration testing. And HP, for its part, has designed a course to help business students get on top of technical issues around cloud computing, big data, security and other network issues.

Amazon is also working to get on top of those issues, with the company looking at moving security appliances to the cloud. That can’t hurt the perceptions of those who are assessing the risk of cloud solutions before considering a move.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about Adobe SystemsAdobe SystemsAmazon Web ServicesAppleAustralian Federal PoliceBoeing AustraliaBT AustralasiaCSOFBIFederal PoliceFireEyeGoogleHPImpervaInland RevenueMicrosoftMozillaSamsungVerizonVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place