The week in security: Are NSA’s fingerprints all over iPhone 5S, iOS 7?

What does it take to become a cyber-security legend? Opinions vary, but the CVs of five people being inducted into the National Cyber Security Hall of Fame might provide some valuable clues.

Apple’s iOS 7 may be inching towards legendary status itself, if early appraisals of its security mechanisms – deftly supported by the new iPhone 5S’s fingerprint scanner – are correct (here’s what you need to know about this significant advancement).

Yet while jailbreakers were cracking their knuckles to get down to business on iOS 7 and some were excited about the sensor’s potential to improve corporate access security, others warned that the iPhone 5S fingerprint scanner “is no silver bullet”, and still others were considering the implications of widespread sensor data collection.

Advanced persistent threat (APT)-focused security firm CrowdStrike raised $30m in funding, while Cisco Systems added a security arm to its services division and HP’s TippingPoint arm announced it would sponsor a mobile-only hacking contest with $US300,000 in prize money.

There were concerns about Google’s Chrome Apps app-delivery model, while one researcher was calling for less hatred for Windows 8’s allegedly-insecure, picture-based passwords. Get more concerned about the privacy protections around Google’s Street View service, which lost the Internet giant an appeal against a decision that its collection of unencrypted Wi-Fi data violates federal wiretap laws. This paved the way for Google users to claim for damagesover the practice.

In other situations, however, passive scanning can be quite important – for example, in containing the security risk of bring your own device (BYOD) programs. Another technique is using new sandboxing techniques such as those from Good Technology, whose eponymous mobile-security platform was certified to Defence Signals Directorate EAL4+ standards. The technique is gaining such popularity that French ministers have been told to install Android sandboxing tools if they want to use smartphones for work purposes. It’s a growing reality that government IT executives, such as the CIO of the US Bureau of Alcohol, Tobacco, Firearms and Explosives, are actively promoting.

Despite the appeal of mobility, however, corporate security managers will be concerned by reports that the BlackBerry Enterprise Server (BES) encryption has been cracked by the US National Security Agency (NSA) – which raised hackles within the EU government, where politicians called for suspension of a data-sharing agreement between the US and EU because of the NSA’s activities. The agency’s big-data efforts need more transparency, some privacy advocates argued, while a surveillance court has seemingly agreed after ordering a review of the transparency of its decisions. Meanwhile, others were pointing out rather important omissions in the recent Black Hat presentation of NSA chief Gen. Keith Alexander.

There’s no telling how the NSA will go with the secure encryption key-management cloud service announced by KeyNexus – although rumours about the NSA’s dealings with many vendors suggest the agency is pressuring vendors to add hidden backdoors in their products. Such rumours even led the National Institute of Standards and Technology (NIST) to deny that the NSA had interfered with its processes of vetting and choosing encryption algorithms. The meme was so strong that US officials came out arguing that the government isn’t “knowingly” weakening encryption.

Indeed, in the UK the government is actively encouraging it, having launched a code-breaking challenge by which it’s vetting potential new recruits. Also apparently recruiting was North Korea’s cyber-security arm, which has been blamed for cyberattacks on a range of South Korean institutions using what is being termed a ‘clunky’ Trojan-based attack.

Also targeted for attack was Vodafone Germany, which was infiltrated by hackers who stole data on two million customers in a move that is being blamed on insiders. Warnings about medical identity theft raised the spectre of yet another security issue.

Fake job ads from UK retailer Harrods were used in a phishing attack, while Westpac was also targeted by Net nasties in a move that had the bank warning users to ignore an email scam asking them to confirm their credit card details. Santander Bank was targeted in an attempt to add a rogue hardware device to the company’s network, while security researchers warned that an email spam campaign was mirroring popular Windows techniques on the Android mobile platform.

Also learning from Windows is a programmer who exploited a Windows vulnerability in public clouds to access supposedly-secure volumes on commercial services like Amazon Web Services. Of course, sometimes the cloud does the peeking itself, as suggested by new revelations about Dropbox. Also building on popular techniques are gamers, according to reports, who are exploiting inherently chatty online-gaming APIs to flood unsuspecting targets with amplified DDoS attacks.

Also sure to feature high on the security circuit – hopefully for the right reasons – is the new data hub for the US ‘Obamacare’ federal healthcare program, which was declared to be secure and ready for use – at least, until some lawmakers raised their concerns about the security of the platform.

With so many attacks around, it might be useful for them to consider an IT security rating system being offered by startup BitSight Technologies. Who knows? It might be one of the many security startups that are attracting increasing attention from venture capitalists.

Meanwhile, a new Web browser called Epic Privacy Browser bowed, with a high degree of anonymity for Web surfers. Adobe issued critical security updates for Flash Player, Reader and Shockwave Player. Apple issued the final non-security update for OS X Mountain Lion, OS X 10.8.5. Poor PHP design was being blamed for hacker attacks on a range Web sites, while Oracle added whitelisting capabilities to Java in a move that should improve corporate security by allowing highly granular controls over acceptable applets.

Join the CSO newsletter!

Error: Please check your email address.

More about Adobe SystemsAmazon Web ServicesAmazon Web ServicesAppleAPTBlackBerryCiscoCiscoDropboxEUGood TechnologyGoogleHPNational Security AgencyNSAOracleTechnologyTippingPointTippingPointVodafoneWestpacWestpac

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts