The week in security: Click-happy users easy pickings as two-factor in the limelight

Fully 91 percent of targeted attacks begin when a user clicks on a spear-phishing email, figures suggest in a finding that should scare any user who receives a strangely-worded email that seems too good to be true. Such users are compromising Australian small and medium businesses with some regularity, statistics suggest.

Intuition about the prevalence of malware self-infections may be the reason New Zealanders are concerned about the security of their data within government and financial-services organisations, but it’s also expected to fuel growth in the intrusion prevention system (IPS) market.

Perceived user concerns about the safety of personal data on recycled mobile phones drove Norwegian telco Telenor to source software to ensure that all personal content is deleted from old devices – although many users would benefit just by using a passcode to lock their phones when not in use.

In what could be a coup or a blow for Android security, Samsung submitted several popular devices for evaluation under the Defence Signals Directorate’s strict security assessment program. Such programs lay down the law around technological security standards – which is an approach that more government bodies should follow if they’re concerned about vendors’ security, the head of Huawei’s cybersecurity efforts told CSO.

Symantec killed off its low-cost PC Tools line of security products, which was acquired from an Australian entrepreneur five years ago. Microsoft announced that it’s moving its botnet-fighting capabilities into a Windows Azure cloud-based service, while McAfee is also taking a new tack by streamlining its endpoint security offerings on the back of arguments that signature-based technologies are on their way to obscurity.

Western Australian police weren’t releasing details of charges to be laid against a 17-year-old hacker, but he wasn’t the only teenager in the news: a German student was claiming PayPal refused to give him a reward after he found a vulnerability in its Web site. PayPal, which is running a $US100,000 hacking competition, later relented and said it would recognise bug finders under the age of 18.

Elsewhere, a former Anonymous member faces up to 10 years in prison after he pled guilty to computer hacking charges, while a UK phishing gang ringleader was jailed for eight years after stealing £1m (A$1.58m) from a pensioner and spending it on fripperies including gold and cheeseburgers.

A US report into intellectual-property theft recommended that computers of alleged infringers be remotely crippled, while some believe the shutdown of a massive money laundering organisation hit cybercriminals where it hurts – casting attention on Bitcoin.

Others, however, warn that private retaliation against cybercriminals is a “remarkably bad idea”. One person who learned this is the Harvard University dean who approved a warrantless search through staff emails – and has subsequently stepped down. Indeed, evolving legislation seems to support the idea that email is protected, with the US state of Texas set to require police to get a warrant to search citizens’ emails.

Many CIOs spend so much time thinking about the business-IT interface that they may not have considered the implications of a legal discovery order – but it’s probably a good idea to have a litigation plan in place to simplify the process when one comes. Also on the business-IT front, global supply-chain operators are embracing a new security standard to prevent IT tampering and counterfeiting.

Some were arguing that companies should weigh the merits of sandboxing malware themselves to better understand it. Malware’s typical behaviour makes it easier to spot – although some attacks, such as the largest DDoS ever (which was aimed during the week at a financial services firm), are hard to miss.

A university was fined $US400,000 after a firewall protecting sensitive patient information was left disabled, supporting the idea that organisations face a growing onus to proactively protect their data or face consequences.

Two-factor authentication tools may be becoming more user-friendly by relying on smartphones instead of hardware tokens, but security researchers found that Twitter’s SMS authentication won’t stop attacks – and can be abused by hackers to lock out users that aren’t using it.

Speaking of hacker abuse, other hackers found a way to compromise servers using vulnerabilities in the Ruby on Rails application-development framework. The Chromium browser got new options to reset settings after they’re manipulated by malware, while the Drupal.org project was forced to reset its users’ account passwords after it detected unauthorised access to information on its servers. Linkedin added two-factor authentication, as did Evernote after it detected a hack attempt, while Google attracted praise and criticism after exhorting vendors to respond to actively exploited vulnerabilities within seven days. As if on cue, Oracle revealed plans to boost the security of Java.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about CSOEvernoteGoogleHarvard UniversityHuaweiIPSMcAfee AustraliaMicrosoftOraclePayPalPC ToolsSamsungSymantecTelenor

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

More videos

Blog Posts