The week in security: Better security needs preemptive strikes by CSOs, nations

With so many vulnerabilities to deal with, it’s no wonder companies are finding it important to enforce better data controls: eBay, for one, had to figure out how to enforce strict controls on data in its massive data and analytics warehouse.

Indeed, issues of data access are becoming increasingly important in security planning, as became clear at the Evolve 2013 security conference in Melbourne. The head of IT security at the National Australia Bank warned that CSOs must engage with business executives early to retain control of bring your own device (BYOD) and security issues, while a one-time presidential IT security advisor said it’s important not to be complacent about the threats to critical infrastructure from hackers.

Longtime security figurehead Raimund Genes, CTO of security firm Trend Micro, was longing for the days when malware was more like digital graffiti than a digital sledgehammer, while another Trend Micro security researcher found himself impressed by the professionalism shown by contemporary hackers who marry nasty malware code with top-flight customer service, self-service portals, and the like. And ISP iiNet found some unexpected security bonuses from its real-time system monitoring.

Despite all the naysayers slamming the security of Google’s Android operating system, Samsung smartphones and tablets running Android have been approved for use by the US military. This had some suggesting Android had been proven to be as secure as the popular BlackBerry operating system – which is certainly a change from earlier suggestions that Android isn’t even secure enough to be used in corporate bring your own device (BYOD) programs.

Also showing up Google’s security were a group of hackers that found vulnerabilities in the environmental control systems at the company’s Sydney offices, where intruders could have changed the temperature of the building using exploits that reflect the ongoing vulnerability of critical infrastructure systems. The fact that many are still running old, outdated versions of Windows and Internet Explorer doesn’t help things – especially given that researchers have subsequently found hundreds of insecure building control systems in Australia alone.

Many organisations could make the shift from Windows XP much more easily than they believe, if one survey is correct, because they over-emphasise the importance of outdated and useless applications. Others should get rid of antiquated password-based protection mechanisms, PayPal’s CISO believes, while Google has a five-year plan to improve authentication and Intel-owned McAfee is also looking to new security approaches with a high-throughput intrusion-prevention system based on Intel’s processor technology.

Showing less security nous was a failed attack by hacking group Anonymous last month, which has some security experts hoping for a similar fail in the group’s planned efforts to disrupt US government and banking sites. More successful was a pre-event test of the Interop networking show, in which a 70Gbps DDoS attack was being simulated to test the network’s resilience and defences. Yet brute-force attacks aren’t the only way of getting hold of company data: a survey of software-development practices found that more than 1 in 5 CIOs are failing to protect customer data when testing mainframe applications.

Attackers were targeting an unpatched flaw in Internet Explorer 8 (which has subsequently been patched, while a new exploit was building on unpatched vulnerabilities in Java 6. Others, meanwhile, were using the AutoIt Windows interface automation script to build new exploits because of its ease of use and flexibility. Such vulnerabilities have become so problematic that some researchers are experimenting with the use of ‘honeywords’ to foil brute-force password crackers – particularly important because, surveys show, nearly half of online users need to be reminded to change their passwords. That leaves them vulnerable to attack – but so does falling victim to a clever phishing attack, as global satire site The Onion found out.

Turns out US citizens’ every phone call and email are in fact being recorded and stored in a massive government database – if the latest rumours are true, that is. That’s a worrying development which, combined with the US government’s accusation of Chinese government interests said to be actively hacking US targets – albeit dismissed by some sceptics – shows just how much is going on underneath the patina of seeming cybersecurity control. Some US senators are pushing for trade and immigration sanctions against countries found to be supporting cyberattacks against US businesses and government bodies.

There may be more of those than you think, with a study finding that the US military is too reliant on foreign-made equipment. Yet with all the sabre-rattling going on, it’s likely that university efforts to train up cyber-security experts may be necessary – and fast – to level the battlefield in the emerging cyber-warfare stakes.

Meanwhile, Apple’s privacy policy was slammed as violating German data protection laws, while a vote on the future of the EU’s privacy laws has been delayed again. Even by current US standards, however, reports suggest that more than 1 in 5 data brokers checked by the US Federal Trade Commission allegedly violated a US privacy law. Also in that country, lawmakers have introduced a bill that would force mobile application developers to get consent from consumers before collecting their personal data; developers, naturally, hate the idea.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about AppleBlackBerryCSOeBayEUEvolveFederal Trade CommissionGoogleIinetIntelInteropMcAfee AustraliaNational Australia BankPayPalSamsungTrend Micro AustraliaUS Federal Trade Commission

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

More videos

Blog Posts