The week in security: NSA lost trust, BYOD needs it

Analytics firm Neustar found that one in five UK businesses was hit by a DDoS attack last year, while DDoS specialist Prolexic found today’s DDoSes to be faster and furiouser than ever before and a California report said that 2.5 million residents were hit by data breaches last year.

The culprits are many, with help desk employees fingered in one report and a preponderance of vulnerable Java installations blamed by another.

Bring Your Own Device (BYOD) policies aren’t helping, either: while nearly half of UK office workers are “free to roam and work from home”, BYOD is running wild at most companies and enabling it is creating a trust gap between employees and employers, a new study has found, while others say a lack of effective implementation is exposing data to cyber criminals.

Speaking of trust, email security giant Mimecast set up an Australian office and is planning on building its brand here based on what it calls an “information banking” opportunity. Cloud-computing providers are inching towards a more consistent set of standards around marketing and service bundling, thanks to the efforts of an Australian Computer Society-stewarded effort that is now accepting submissions.

Protecting virtual desktop and server environments has always introduced its own challenges, but some startups are solving the issue with CPU-based security technology. Good thing, too: one security expert points out that suspended virtual images can reinfect networks with old vulnerabilities after they’re brought back online or duplicated.

A UK hospital was fined £200,000 (A$331,950) after a hard drive containing 3000 patients’ records was sold, unwiped, instead of being sent for destruction as it should have been.

Not even encryption would have improved the situation, according to those who argue that government surveillance orders transcend such protections. Except, maybe, in Germany, where chancellor Angela Merkel is pushing for stronger data protection laws – or in the Netherlands, where a judiciary council ruled that decryption orders from governments could violate human rights. No word, however on whether there will be changes to the UK police powers to seize data from laptops and mobile phones at the country’s borders.

The NSA continued to cop fallout over PRISM, with church and advocacy groups suing the organisation and Microsoft refuting claims that it gives the NSA access to customers’ emails. Microsoft was also asking the US Attorney General for permission to disclose its dealings with the NSA, whose phone collection practices were held by some lawmakersto have violated the law. Other tech groups were pushing for greater transparency in government data requests.

Little wonder services like BitTorrent Sync are promising to protect online files. Ditto SpiderOak: this Dropbox contender, which encrypts everything you store on its service – and throws away the key – has seen signup rates triple since PRISM was exposed.

While some try to improve citizen privacy, new indications suggest scammers are getting even better at compromising it with identity-theft kits now featuring verified healthcare information. Some retail stores aren’t doing much better, with experiments into the use of Wi-Fi and enhanced video surveillance offering a glimpse into the creepy future of privacy stalking.

Speaking of creepy, Google Glass has been paired with QR codes to create a hands-free operating mechanism, while Symantec found that the platform is vulnerable to a long-known Wi-Fi problem.

On the malware front, researchers were intrigued by new malware that steals FTP credentials, while another curious malware demands nothing more than that users fill in a survey. And, on the Mac front, a new piece of malware is digitally signed to appear legitimate, but uses a Unicode character to hide its real file type and encourage execution. An even simpler exploit uses JavaScript to trick visitors into paying a ransom demand.

A new malware campaign was targeted at Asian and European governments, while papers suggested the US government is pushing for Internet filters to appear to be turned on by default, even when they’re not.

The W3C knocked back an effort by the advertising industry to take control of a standard around Websites’ handling of ‘do not track’ requests, while Facebook was lauding the merits of bug-bounty programs after fixing a critical flaw, Oracle offered 27 fixes for remote exploits, and Google patched a massive security flaw in Android, even though fixes seem to be taking their time trickling out to users. Alternative sources of fixes were soon appearing too.

Some wondered if the simple act of having an IP address was security flaw enough, with an illustrated guide showing some of the techniques that can be used to track down people by their IP.

Although Google has proved to be the pace-setter in terms of automatically updating mobile applications – Apple and Microsoft are following suit – others were lamenting the ease with which cyber-criminals are developing Android malware, while South Korea was lamenting the ease with which, it says, North Korea is pummelling its government websites.

Also pummelled was Network Solutions, which restored services after being hit by a massive DDoS attack that knocked some of its servers offline.

If you’ve ever wondered how keylogging malware steals your information, one expert offers a demonstration. Other software – in particular, the open-source Tortilla tool released at Black Hat, is designed to improve anonymity on Windows systems. Another open-source tool – an intrusion detection system called Bro – is being developed for new markets by a startup called Broala after being used on high-speed research networks for around two decades.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleAustralian Computer SocietyDropboxFacebookGoogleMicrosoftNSAOracleQRSymantecUnicodeW3C

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

More videos

Blog Posts