The week in security: To meet new privacy burden, think like a teenage girl

Commemorations of Privacy Awareness Week included some high-profile pronouncements from Australia’s Privacy Commissioner, who has made it his goal to educate Australian businesses about their new obligations under privacy laws that will change in March 2014. This, on the back of survey findings that suggest 59% of Australian companies are still unaware of the impact and responsibilities of those new laws. With penalties promised in the six and seven figures, ignorance may most definitely not be bliss in this case.

Interestingly, although the European Union gets the lion’s share of attention for its privacy regime, one privacy expert has given Australia’s emerging privacy regulations the thumbs-up and suggested that IT managers keen to improve corporate privacy may find much to emulate in the behaviour of 17-year-old girls. Another option is to look into novel ideas like self-detonating data, which promises a new twist on the old Mission Impossible “this message will self-destruct in five seconds” meme.

One of the recurring stories in the security world is the lack of suitably certified skilled security staff. Education body (ISC)2 took another step to address this with a new certification, jointly developed with the Cloud Security Alliance and designed to formalise cloud-security training and certification. That adds a human element to complement industry efforts, such as Trend Micro’s launch of new services to protect Amazon Web Services (AWS) cloud-hosted servers. Virtual servers may help boost security, a new Gartner report suggests, while Samsung’s new Knox security and management software have been judged secure enough to be used on the US Department of Defense network. Even telecommunications carriers are being tipped to join the fight as content-aware defences add a new line of defence for bring your own device (BYOD) programs.

Security attacks can come from anywhere – printers, routers, and even that van parked outside your house, as Spain’s Interior Ministry found after investigating a man suspected of recently participating in a large DDoS attack. Turns out old vans can be used to support DDoS just as easily as old network protocols abused to launch them.

That’s not the only thing authorities are finding: a new detector can find mobile phones even without batteries or SIM cards. Also posting surprising findings is online gaming service ESEA, which admitted to using spare graphics processing unit (GPU) cycles in its clients’ computers to mine bitcoins without their knowledge. Also on the bitcoin front, an effort to improve US and Canadian citizens’ access to bitcoins has turned into a $US75 million ($A72.7m) lawsuit.

Meanwhile, McAfee found a flaw in the PDF-tracking features of its Adobe Reader and D-Link found flaws – and then patched them – in its IP camera firmware that could allow an IP video stream to be spied upon. And, on a similar note, an online monitoring scheme to boost law enforcement visibility could also offer new powers to state-sponsored hackers, experts warn.

They may not necessarily need them – at least not in China, where hackers seem to have already successfully pilfered large amounts of military and espionage data from US company QinetiQ during three years of persistent cyberattacks. The US Department of Labor and Army Corps reported successfully being hacked (and deny any risk), with such notifications reflecting an increasingly open environment of disclosure that could, reports suggest, become more commonplace if a proposed data breach notification law is introduced in Australia.

Microsoft is offering Webmasters of malware-flagged sites the chance for the sites to be re-evaluated, but a second detection of malware could extend the ban considerably. Improved malware-management capabilities are also being delivered with Splunk’s addition of statistical analysis to an enterprise security app, while observers were urging calm in the face of the first jailbreaking of the vaunted Google Glass wearable-computing technology.

Experts were offering advice about phishing, encryption as a security enabler, elements of a successful security awareness program, and 25 must-have technologies for small and medium businesses (SMBs), while – in the wake of an attack on Apache Web servers by ‘Cdorked’ malware – others were advising that corporate open-source projects are proving more difficult than many may expect.

Code vulnerabilities aside, many Web providers – such as Facebook, which has been experimenting with a new form of password recovery – have been fingered in an analysis of their relative commitments to online privacy. Twitter scored highly while Verizon and MySpace got zero out of six possible stars in a recent assessment. The willingness of online properties may become even more important as the FBI pushes to require Facebook, Google and others to build backdoors that would let them snoop on online communications in real time. It’s similar in concept to a bill in The Netherlands, which would give law-enforcement agencies a variety of hacking powers to support their investigations. And, yet, such access may prove superfluous, with figures suggesting a spy court approved all electronic wiretap requests it received in 2012.

As if potential intrusion from law enforcement agencies wasn’t enough to worry privacy advocates, many are concerned about malware versions of popular software masquerading as legitimate apps, as Mozilla found in launching a cease-and-desist action against a European company that had created a malware-laced version of Mozilla’s Firefox browser. Ditto content spoofing, which has been identified as a major Web site vulnerability. The problem of identity confirmation is so bad that Google is moving to only allow software loaded from its Google Play store, although it’s not clear just how much that will improve the situation.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about Adobe SystemsAmazon Web ServicesApacheD-Link AustraliaFacebookFBIGartnerGoogleMcAfee AustraliaMicrosoftMozillaSamsungSplunkTrend Micro AustraliaVerizonVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts