The week in security: Millions compromised in Apple, Linux forum hacks
- — 29 July, 2013 16:23
Are you covered for damage from a security attack? If you’re like most companies, the answer may be ‘no’ even if you think otherwise. One insurance-industry figure warns that some uncomfortable truths may come out in the wash as growing pressure for mandatory breach warnings drives companies to fess up about their real vulnerabilities.
Amid increasingly-repeated concerns the NSA’s spying activities could have a deleterious effect on US-based cloud firms, the White House opposed a bill that would curtail NSA surveillance spending and the court overseeing the activities of the US NSA has renewed the standing permission for continued collection of telephone-call metadata. A vote on the issue was tight enough that privacy advocates hope the tide is starting to turn against surveillance, even as the US-based American Civil Liberties Union (ACLU) released a report documenting widespread license-plate scanning on that country’s highways. Little wonder a German government report recommended companies should stop sending Europeans’ personal data to the US.
User forums have become the target du jour for hackers, with a Ubuntu Linux discussion forum breached and taken offline after encrypted passwords and email addresses for nearly 2 million users stolen.
Apple’s own developer site was hacked, suffering a high-profile multi-day outage that saw the company openly admitting the incident, closing down the site and gradually overhauling and eventually restoring services throughout the week. Predictably, phishers wasted no time targeting the users’ credentials.
Despite the high-profile user-forum hacks, good old security flaws were also abundant: for example, researchers found a major encryption flaw in older mobile-phone SIM cards that some said boosted the case for secure mobile data containers. Others argued that the flaw has significant implications for mobile-reliant businesses, even though the researcher who identified the issues says they are easy to fix.
Indonesia came from nowhere to emerge as a major global source of malware in Akamai’s latest State of the Internet report, while Network Solutions was facing its own problems as latency of its MySQL databases increased in the wake of its defence against DDoS attacks. A hacker group called the Syrian Electronic Army hacked the customer support Web site of instant-messaging and VoIP provider Viber. Another report found a rise in Android malware that turns handsets into spying devices, while Symantec reported an Android flaw that’s allowing apps to modify legitimate applications by using a ‘master key’ vulnerability.
Little wonder so many CSOs are thinking about mobile security policies. Yet others should also be looking at more practical matters such as the handling of digital certificates, which one security specialist has warned remains an often unrealised weakness in corporate environments.
Even as figures suggested 500 hosted Web sites are compromised every day and a new Trojan called KINS threatened the integrity of online banking, hackers’ continuous ingenuity in identifying new vulnerabilities has shifted the focus of many vendors’ tools elsewhere, with one security analyst pointing out that regardless of their nature it’s relatively easy to spot malware based on its use of nonstandard IP ports.
More companies may want to consider the technique: even though Microsoft said almost 90% of Citadel botnets had been disrupted in June, Trend Micro reported that the malware is active on 20,000 PCs in Japan alone and a Center for Strategic and International Studies estimate suggesting cybercrime costs the world $US400 billion ($A431.7 billion) every year. This, as indications are that the cybercriminals are only getting smarter – using the anonymous Tor network to control their botnets.
In an unusual situation, the decision to fine a UK council £250,000 ($A414,895) – for carelessly disposing of paper records containing private information – was ruled to be excessive by an appeals tribunal. In a less unusual situation, a Spanish scammer took in nearly $US53,000 ($A57,175) over the course of two months using the Whatsapp messaging system. A Texas man was charged with running a Bitcoin Ponzi scheme, while five Russians and Ukrainians were incidted in New Jersey for hacking major corporate networks to steal credit card numbers.
UK Internet search providers pressured Google, Yahoo and Microsoft to block child-abuse images from their search results, then invited controversy with a measure that would force ISPs to block pornographic content by default.
Bitdefender launched a purpose-built browser designed to protect online-shopping sessions, while Cisco Systems spent $US2.7 billion ($A2.91 billion) to acquire security vendor Sourcefire – leading some to wonder about how the company will resolve product overlap between the two.
Another open-source project, known as Crypton, seeks to help developers add unbreakable encryption to their applications, while RSA is acquiring companies to improve its authentication and identify management capabilities. For its part, IBM added vulnerability-management capabilities to its QRadar SIEM platform, while a new biometric display screen was demonstrated that can recognise fingerprints as well as functioning as a touchscreen.