The week in security: Millions compromised in Apple, Linux forum hacks

Are you covered for damage from a security attack? If you’re like most companies, the answer may be ‘no’ even if you think otherwise. One insurance-industry figure warns that some uncomfortable truths may come out in the wash as growing pressure for mandatory breach warnings drives companies to fess up about their real vulnerabilities.

Amid increasingly-repeated concerns the NSA’s spying activities could have a deleterious effect on US-based cloud firms, the White House opposed a bill that would curtail NSA surveillance spending and the court overseeing the activities of the US NSA has renewed the standing permission for continued collection of telephone-call metadata. A vote on the issue was tight enough that privacy advocates hope the tide is starting to turn against surveillance, even as the US-based American Civil Liberties Union (ACLU) released a report documenting widespread license-plate scanning on that country’s highways. Little wonder a German government report recommended companies should stop sending Europeans’ personal data to the US.

User forums have become the target du jour for hackers, with a Ubuntu Linux discussion forum breached and taken offline after encrypted passwords and email addresses for nearly 2 million users stolen.

Apple’s own developer site was hacked, suffering a high-profile multi-day outage that saw the company openly admitting the incident, closing down the site and gradually overhauling and eventually restoring services throughout the week. Predictably, phishers wasted no time targeting the users’ credentials.

Despite the high-profile user-forum hacks, good old security flaws were also abundant: for example, researchers found a major encryption flaw in older mobile-phone SIM cards that some said boosted the case for secure mobile data containers. Others argued that the flaw has significant implications for mobile-reliant businesses, even though the researcher who identified the issues says they are easy to fix.

Indonesia came from nowhere to emerge as a major global source of malware in Akamai’s latest State of the Internet report, while Network Solutions was facing its own problems as latency of its MySQL databases increased in the wake of its defence against DDoS attacks. A hacker group called the Syrian Electronic Army hacked the customer support Web site of instant-messaging and VoIP provider Viber. Another report found a rise in Android malware that turns handsets into spying devices, while Symantec reported an Android flaw that’s allowing apps to modify legitimate applications by using a ‘master key’ vulnerability.

Little wonder so many CSOs are thinking about mobile security policies. Yet others should also be looking at more practical matters such as the handling of digital certificates, which one security specialist has warned remains an often unrealised weakness in corporate environments.

Even as figures suggested 500 hosted Web sites are compromised every day and a new Trojan called KINS threatened the integrity of online banking, hackers’ continuous ingenuity in identifying new vulnerabilities has shifted the focus of many vendors’ tools elsewhere, with one security analyst pointing out that regardless of their nature it’s relatively easy to spot malware based on its use of nonstandard IP ports.

More companies may want to consider the technique: even though Microsoft said almost 90% of Citadel botnets had been disrupted in June, Trend Micro reported that the malware is active on 20,000 PCs in Japan alone and a Center for Strategic and International Studies estimate suggesting cybercrime costs the world $US400 billion ($A431.7 billion) every year. This, as indications are that the cybercriminals are only getting smarter – using the anonymous Tor network to control their botnets.

In an unusual situation, the decision to fine a UK council £250,000 ($A414,895) – for carelessly disposing of paper records containing private information – was ruled to be excessive by an appeals tribunal. In a less unusual situation, a Spanish scammer took in nearly $US53,000 ($A57,175) over the course of two months using the Whatsapp messaging system. A Texas man was charged with running a Bitcoin Ponzi scheme, while five Russians and Ukrainians were incidted in New Jersey for hacking major corporate networks to steal credit card numbers.

UK Internet search providers pressured Google, Yahoo and Microsoft to block child-abuse images from their search results, then invited controversy with a measure that would force ISPs to block pornographic content by default.

Bitdefender launched a purpose-built browser designed to protect online-shopping sessions, while Cisco Systems spent $US2.7 billion ($A2.91 billion) to acquire security vendor Sourcefire – leading some to wonder about how the company will resolve product overlap between the two.

Another open-source project, known as Crypton, seeks to help developers add unbreakable encryption to their applications, while RSA is acquiring companies to improve its authentication and identify management capabilities. For its part, IBM added vulnerability-management capabilities to its QRadar SIEM platform, while a new biometric display screen was demonstrated that can recognise fingerprints as well as functioning as a touchscreen.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Confirmed: hackers can use Heartbleed to steal private SSL keys

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Authentication

RSA offers a wide range of strong two-factor authentication solutions to help organizations assure user identities and meet compliance requirements.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.