The week in security: PRISM revelations show they really are watching you

Australia’s peak ISP body, the Internet Industry Association, kicked off a three-week review process after completing its review of its voluntary icode code of conduct, which coordinates the efforts of ISPs against malware and spam.

It could turn out to be well-timed, with McAfee reporting a surge in spam and suggesting malware was going back to the future as the presumed-dead Koobface social media worm made a resurgence.

Such trends highlighted the importance of effective mobile security, particularly as mobility turns already-common informal and formal bring your own device (BYOD) programs into unmanaged risk and executive-led cloud-services adoption forced CSOs to reconsider their security strategies.

Further clouding the landscape, security researchers suggest mobile antivirus products are all but useless. A survey of executives and IT staff found that laptops were seen as a bigger security risk than desktops and smartphones, suggesting a false sense of security that IT managers don’t necessarily share.

Even as numerous DDoS attacks attacked multiple domain-name providers and the volume of traffic had security experts rending their garments, the head of security at Akamai warned, noting that even the best DDoS protections can’t save CSOs from the need to manage internal security efforts (here’s some advice on how to do it). Another security expert suggested CSOs should consider the legendary battle portrayed in the movie ‘300’ when planning their network security defences.

Yet by far the biggest news of the week was the revelation that the US National Security Agency (NSA) had for years been running a surveillance system, called PRISM, that monitors a broad range of communications channels, putatively for signs of terrorist activity. Privacy groups were naturally up in arms while a conservative activist filed suit over the practice and US president Barack Obama said privacy compromises were necessary to protect the nation, while adding that “nobody is listening to your telephone calls”.

Amidst reports that the surveillance’s scope was “breathtaking” and that organisations including telecommunications carrier Verizon major Internet companies were involved, Google denied it was involved and others wondered why Twitter wasn’t involved. Skype and Kazaa founder Jaan Tallinn said it was hard to know who to believe.

Defending its actions, the government claimed it was authorised to collect information on non-US persons outside the US, and revelations suggested businesses faced serious legal consequences if they refused to comply with NSA directives. Privacy activists were empowered by the revelations , while others were releasing FAQs and penning how-to guides for avoiding PRISM’s glare. Yet even as the person who leaked PRISM’s existence – 29-year-old ex-NSA contractor Edward Snowden – stepped into the limelight, indications were that the story was likely to get bigger as revelations about its scope continued to emerge.

Almost as an afterthought, Maine inched closer to becoming the first US state to require a warrant for tracking mobile phone activity. A newly-introduced bill in the US aimed to block the issuance of US visas to cyberattackers sponsored by foreign governments. The EU was also looking across national boundaries with the demand that EU countries be able to sentence hackers to two years in prison no matter where they live.

Google outlawed facial recognition apps and pornography on Google Glass, while reporting that tests showed biometric passwords would introduce their own problems. Also introducing problems was a new Android Trojan app that exploits previously unknown flaws, while research found that many users were introducing their own flaws by remaining extremely tardy when it comes to patching their Java implementations.

One researcher believes the Bitcoin virtual currency would, despite assertions to the contrary, be terrible for money laundering; certainly, it’s hard to stay anonymous given that Bitcoin sales are all recorded to a public ledger. Either way, UK data breaches are getting more expensive – whether measured in bitcoin or UK pounds – as their average cost rose to £2 million per incident.

Join the CSO newsletter!

Error: Please check your email address.

Tags spaminternet industry associationmalware

More about Akamai TechnologiesEUGoogleInternet Industry AssociationMcAfee AustraliaNational Security AgencyNSASkypeVerizonVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts