The week in security: Is compromised Android the mobile world’s Windows?

Even as signs suggested the Chinese hacking gang credited with the attack on the New York Times Web site is on the move again and the New York Post hit by hacktivists, Trend Micro was warning of a new targeted attack called, ironically, ‘Safe’. A new compromise was identified on the Web site of the Central Tibetan Administration, while other new malware taps into a mobile ad network to make its money.

That approach is becoming more common, with Palo Alto Networks reporting on the mobile adware loophole and a Zscaler analysis finding that the problem has gotten so bad that one in five of the most popular Android apps is now a mobile security risk.

Confirming the growing Android threat, Trend Micro’s latest Security Roundup Report found that Android vulnerabilities were the biggest security concern, with Bitcoin applications being upgraded after a problem was identified in Android cryptography that could allow attackers to steal the virtual currency. And, according to an update from Kaspersky Lab, cybercriminals are using a Google application-messaging service to control the activity of their Android malware.

The problem is so bad that Android has become the mobile world’s equivalent of Windows, one study concludes. That’s not great news for consumers that love the idea of mobile security but aren’t quite ready yet to actually pay for it, according to reports. It’s even worse news because it can be assumed that some users will do the wrong thing no matter how much security training they receive, one security executive has warned.

Speaking of controlling activity, it turns out some gamers are using DDoS-on-demand services as weapons to inflict delays on their online rivals. Also having control issues was a baby-monitor maker whose product was hacked in a high-profile PR disaster. Less intentional was a problem at the University of Wolverhampton, which underwent a major firewall upgrade after problems with its network access control system were interrupting legitimate student users.

Government bodies were encouraged to develop customised defences to fight cyber attacks where antivirus software is now deemed to be inadequate: for example, some researchers authored code that can identify attack code even if it has changed its identity in an attempt to hide. Such approaches will be necessary if the forces of cybersecurity good are ever to keep up with new exploits, such as the one cybercriminals launched that capitalises on a recently patched Java vulnerability.

Meanwhile, organisations of all stripes were being encouraged to plan the isolation of Windows XP-based systems when support for the operating system is discontinued in April 2014, or face an endless series of zero-day attacks. It might also be time to weigh up cyber insurance, which is seeing a surge in interest as data breaches drive companies’ interest.

In a sign that the US government has taken the revelations of its National Security Agency (NSA) snooping seriously, the Obama administration has set up a surveillance review group to weigh the benefits of applying new technologies to future surveillance activities. The NSA was also said to be considering cutting system-administrator numbers by 90 percent.

Meanwhile, Oracle CEO Larry Ellison weighed in on the surveillance issue, arguing that some government surveillance is “essential” in fighting terror. Along the same lines, Google raised a stink by arguing that Gmail users can’t expect their data to be private, leading some to wonder if it’s not getting a bit too arrogant for its own good. Meanwhile, Australian Privacy Commissioner Timothy Pilgrim had a scathing review of Web site privacy policies that he concluded were far too complex.

Some security experts were arguing that the NSA controversy won’t drive customers away from public cloud services. Others were so concerned about the security of cloud data – which has been said to be so bad in PRISM’s wake that it could cost businesses their very existence – driving the likes of Kim Dotcom to consider new, secure email initiatives. Security consultancy Pure Hacking also weighed in on the lack of security, with a new service that traces stolen data into the netherworld of hacking forums and cyberspace dark alleys.

Joomla patched a file-manager vulnerability that’s been blamed for hijacked Web sites, while Microsoft patched critical Internet Explorer and Exchange Server flaws and offered optional security updates to block MD5 certificates and improve RDP authentication. IBM bought endpoint security company Trusteer, which will expand the computing giant’s new Security Division.

For its part, Google reported that it has paid out over $US2m for over 2000 security bug reports – suggesting the strength of the bug crowdsourcing model. Google is so happy about the results that it increased the rewards for the program, with the reward for bounties previously rated at $US1000, rising to $US5000.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

More about CSOGoogleIBM AustraliaKasperskyKasperskyMicrosoftNational Security AgencyNSAOraclePalo Alto NetworksPurePure HackingTrend Micro AustraliaTrusteerTrusteerTrusteerzScaler

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts