The week in security: AFP arrests LulzSec hacker, security arresting BYOD planning
- — 29 April, 2013 16:24
Security researchers were surprised to discover that the malware baddies had gone to the unprecedented effort of creating an entirely new online advertisement distribution network, called BadNews, which burrowed its way through Google Play’s security defences by laying dormant for weeks before distributing malware millions of times by sending fake update notifications.
Little wonder security experts are warning that Android’s “fundamentally broken” security model is making bring your own device (BYOD) strategies too risky to be considered; news that Samsung has delayed its Knox Android security software can’t help either.
On a similar note, some companies are revisiting their BYOD policies to ensure they don’t get hit with lawsuits from employees who feel their privacy has been violated by BYOD security controls. Even giant telco BT is “struggling” with the trend. You DO have a BYOD policy in place, right? As shown by the Australian Federal Police arrest of a 24-year-old IT security specialist alleged to be a key member of the LulzSec hacking group, effective management of security teams is critical. Does your company understand business goals in a security context, and is your security team flexible enough to quickly and positively respond to criticisms? Not all are, and some warn that lack of flexibility may be an indicator of worse things to come as good security talent becomes harder to find.
Yet not all parties love better privacy controls: Mozilla is copping flak from advertisers for allowing Internet users to opt out of behavioural tracking. Also fingered in privacy controversy is the Google Glass augmented-reality glasses, but CEO Eric Schmidt stepped in to point out that the wearable computer is still a year away from release. That gives privacy lobbyists more time to build up their arguments around the technology’s privacy implications – as they have done around the UK’s so-called ‘Snoopers’ Charter’, which was dumped after concerns – although a tepid response to the progressing Cyber Intelligence Sharing and Protection Act (CISPA), which itself seems doomed to fail, suggests they need to improve their organising capabilities first.
Perhaps they need not fear having nothing to rally people around: the US Department of Homeland Security (DHS) is reportedly preparing a more powerful version of its EINSTEIN intrusion-detection system that uses deep-packet inspection to detect malware attacks and stress out privacy advocates all in the one go, even though a US Senate committee has approved legislation to protect citizens from government surveillance of cloud-hosted data. Yet even as a US judge supports privacy by rejecting an FBI request to hack the computer of a suspected cyber-criminal, privacy advocates are already up in arms over proposed changes to European data protection laws, which they say would strip citizens of their privacy rights. That gels with the mission of Adobe Systems’ first CSO, Brad Arkin, whose first priority is the security of the vendor’s hosted services. He couldn’t be more timely, with warnings that hackers are increasingly targeting shared Web hosting servers as launching pads for mass phishing attacks.
New Boeing technology promises to unify business IT networks with traditionally-separate industrial-control systems, while new malware is showing the risks of too much access by targeting Dutch Twitter users with malware that hijacks their accounts and sends dangerous links. The hijacking of the Associated Press Twitter account reinforced the need for better authentication – and Twitter obliged with acknowledgement that it’s working on a two-step authentication solution in a trend that’s set to become more common as users learn more about it and vendors release new solutions.
A serious flaw in the latest Java Runtime Environment is said to affect desktop and server versions of the code, while security firm FireEye says cyber-spying tool Gh0st RAT is still being used in stealthy malware attacks and malware from the Operation Beebus cyberattacks is still proving to be active.
The cybersecurity threat is getting so bad that the UK government is offering small businesses £5000 ($A7531) to improve their cyber security by hiring outside security consultants. Australian startup Bugcrowd has tried another tack, negotiating continuing professional education (CPE) points for security professionals who participate in communal bug-finding competitions, which are bringing new legitimacy and scale to penetration testing. And HP, for its part, has designed a course to help business students get on top of technical issues around cloud computing, big data, security and other network issues.
Amazon is also working to get on top of those issues, with the company looking at moving security appliances to the cloud. That can’t hurt the perceptions of those who are assessing the risk of cloud solutions before considering a move.