The week in security: Click-happy users easy pickings as two-factor in the limelight

Fully 91 percent of targeted attacks begin when a user clicks on a spear-phishing email, figures suggest in a finding that should scare any user who receives a strangely-worded email that seems too good to be true. Such users are compromising Australian small and medium businesses with some regularity, statistics suggest.

Intuition about the prevalence of malware self-infections may be the reason New Zealanders are concerned about the security of their data within government and financial-services organisations, but it’s also expected to fuel growth in the intrusion prevention system (IPS) market.

Perceived user concerns about the safety of personal data on recycled mobile phones drove Norwegian telco Telenor to source software to ensure that all personal content is deleted from old devices – although many users would benefit just by using a passcode to lock their phones when not in use.

In what could be a coup or a blow for Android security, Samsung submitted several popular devices for evaluation under the Defence Signals Directorate’s strict security assessment program. Such programs lay down the law around technological security standards – which is an approach that more government bodies should follow if they’re concerned about vendors’ security, the head of Huawei’s cybersecurity efforts told CSO.

Symantec killed off its low-cost PC Tools line of security products, which was acquired from an Australian entrepreneur five years ago. Microsoft announced that it’s moving its botnet-fighting capabilities into a Windows Azure cloud-based service, while McAfee is also taking a new tack by streamlining its endpoint security offerings on the back of arguments that signature-based technologies are on their way to obscurity.

Western Australian police weren’t releasing details of charges to be laid against a 17-year-old hacker, but he wasn’t the only teenager in the news: a German student was claiming PayPal refused to give him a reward after he found a vulnerability in its Web site. PayPal, which is running a $US100,000 hacking competition, later relented and said it would recognise bug finders under the age of 18.

Elsewhere, a former Anonymous member faces up to 10 years in prison after he pled guilty to computer hacking charges, while a UK phishing gang ringleader was jailed for eight years after stealing £1m (A$1.58m) from a pensioner and spending it on fripperies including gold and cheeseburgers.

A US report into intellectual-property theft recommended that computers of alleged infringers be remotely crippled, while some believe the shutdown of a massive money laundering organisation hit cybercriminals where it hurts – casting attention on Bitcoin.

Others, however, warn that private retaliation against cybercriminals is a “remarkably bad idea”. One person who learned this is the Harvard University dean who approved a warrantless search through staff emails – and has subsequently stepped down. Indeed, evolving legislation seems to support the idea that email is protected, with the US state of Texas set to require police to get a warrant to search citizens’ emails.

Many CIOs spend so much time thinking about the business-IT interface that they may not have considered the implications of a legal discovery order – but it’s probably a good idea to have a litigation plan in place to simplify the process when one comes. Also on the business-IT front, global supply-chain operators are embracing a new security standard to prevent IT tampering and counterfeiting.

Some were arguing that companies should weigh the merits of sandboxing malware themselves to better understand it. Malware’s typical behaviour makes it easier to spot – although some attacks, such as the largest DDoS ever (which was aimed during the week at a financial services firm), are hard to miss.

A university was fined $US400,000 after a firewall protecting sensitive patient information was left disabled, supporting the idea that organisations face a growing onus to proactively protect their data or face consequences.

Two-factor authentication tools may be becoming more user-friendly by relying on smartphones instead of hardware tokens, but security researchers found that Twitter’s SMS authentication won’t stop attacks – and can be abused by hackers to lock out users that aren’t using it.

Speaking of hacker abuse, other hackers found a way to compromise servers using vulnerabilities in the Ruby on Rails application-development framework. The Chromium browser got new options to reset settings after they’re manipulated by malware, while the project was forced to reset its users’ account passwords after it detected unauthorised access to information on its servers. Linkedin added two-factor authentication, as did Evernote after it detected a hack attempt, while Google attracted praise and criticism after exhorting vendors to respond to actively exploited vulnerabilities within seven days. As if on cue, Oracle revealed plans to boost the security of Java.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about CSOEvernoteGoogleHarvard UniversityHuaweiIPSMcAfee AustraliaMicrosoftOraclePayPalPC ToolsSamsungSymantecTelenor

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts