The week in security: Microsoft fights NSA as shadow IT bites business

'Shadow IT' – the growing range of servers and applications that users can purchase and use without any involvement from the IT organisation – is compromising organisational security, an analysis warns. But rogue end users aren't the only ones to blame: IT professionals share the blame, a recent survey has shown even as IT pros are labelled 'innovation killers' and high rates of employments for CISOs mean the industry is suffering a shortage of those who could help better manage such risks.

In Hong Kong, for one, this has seen CEOs making IT security decisions – which should concern the many people keen to ensure the security of key areas such as big data. This is an even bigger concern because many conventional insurance policies don't cover cyber-security related issues, a Centre for Internet Safety study has warned.

A former general-practice security manager has pleaded guilty to illegally accessing patient data. It's just one of a growing number of examples in which user data can be accessed by malicious outsiders, but one university professor found out just how dangerous the risk is after challenging hackers to pen-test his online world.

Yet it doesn't always take a malicious outsider: another study found that many government organisations can still be compromised by social-engineering tricks involving USB sticks.

User forum Bitcointalk.org warned some user passwords may have been compromised after the site's DNS registrar was breached. Also on the Bitcoin front, researchers warned about a Web proxy app that has been tapping into its victims' CPU power to run Bitcoin mining routines; others, we were warned, are embedding their uses within end user license agreements.

Two people were arrested in Germany for alleged Bitcoin mining, while there were arms up in the air after $US100 million ($A110m) worth of Bitcoin disappeared from 'darkweb market' Sheep Marketplace.

Even as a report suggested the US National Security Agency was collecting 5 billion records on the location of mobile phones every day – justified by the NSA based on a 1981 executive order from then-president Ronald Reagan – the developers of the popular Android Flashlight app settled charges that it was sharing users' location data with advertisers without users' permission. It's not alone, however: one recent study found that most apps come with some sort of privacy or security issues. Another review found that popular software is loaded with zero-day vulnerabilities.

Microsoft tried to reassure customers that it's not providing the government with direct access to user data and would both encrypt their data and inform them of government data requests in a push against governments' use of “technological brute force to access customer data”. The company even went so far as to call government data snooping the equivalent of an advanced persistent threat. Yet not everybody was impressed, with a Free Software Foundation executive calling the pledge “meaningless”.

Others, however, were happy to do the job in its absence. One particular malware attack, for example, managed to steal 2 million logins for online services – and was only discovered when files with the details were discovered online. Another click-fraud botnet, called ZeroAccess, had been “disrupted” by authorities but was providing hard to eradicate.

Indeed, malware is still running rings around the tools designed to detect it, recent Enex TestLabs eThreatz testing confirmed.

With malware getting so sneaky that it's using inaudible sounds to jump over network 'air gaps' designed for security, the inexorable assault by cyber-criminals raised concerns by many about the security of the upcoming Christmas holiday shopping season – which isn't going to be helped by the surge in malware infections of point-of-sale terminals.

Neither would news that, after its UCard product was hacked earlier this year, JPMorgan Chase & Co. said it would notify nearly 500,000 breached customers but would not replace their cards because there's no evidence that funds were stolen. Users may need to turn to a new service that lets them check whether their usernames and passwords have been compromised in some of the largest data breaches in recent years.

More broadly, others were warning about the increasing attack surface posed by worms set on creating what has been called] an Internet of Harmful Things. If this doesn't fuel your fears about a machine-dominated future, drones are even being reprogrammed to hunt and hijack other drones.

The war on DDoS attacks intensified as content distribution specialist Akamai announced it would buy DDoS specialist Prolexic for $US370 million ($A406 million) and the Cloud Security Alliance announced the formation of an Anti-Bot Working Group to fight the threat of DDoS attacks. Along similar lines, a US man was sentenced for participating in a DDoS run by hacker group Anonymous, while the perpetrators of a DDoS attack on PayPal pleaded guilty and could walk free.

France was launching a war of its own, with a draft law in that country suggesting government officials could soon be able to access live user data from ISPs and online services. African nations were inching towards an African Union cybercrime pact that would establish a legal framework for cybersecurity on that continent. A Korean cybersecurity expert warned that the online conflict in that country was likely to intensify in the future.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about Akamai TechnologiesFree Software FoundationMicrosoftNational Security AgencyNSAPayPal

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

More videos

Blog Posts