The week in security: Australian A-G reports tapping surge as NSA slammed
- — 17 December, 2013 08:53
With the looming onset of the Christmas break, security-industry pundits were reviewing what has been a very busy year in Internet security and product testing, with rogues' galleries of security threats focusing the spotlight on the worst offenders.
Turns out the US NSA and CIA have been watching online games like World of Warcraft and Second Life, as well as using tracking cookies to monitor the targets of their surveillance. Google, Microsoft and others weren't happy, calling for limits on the NSA's surveillance activities.
Sentiment against the NSA has gotten so bad that one US lawmaker is trying to get the organisation banned from her state, even as the NSA's director challenges critics to find a better way to do its job.
Monitoring isn't only confined to the US, however: Australia's Attorney-General released figures showing that tapping of email, SMS and phone traffic surged 16 per cent in 2013 from the previous year. The European Union put the boot into the NSA's practice of phone record collection (but remained silent on a French law allowing warrantless access to live user data), but the NSA's victims aren't the only ones dealing with security compromises: online-comments site Disqus was rushing to fix problems in its site after a Swedish newspaper used it to trace offensive comments back to the public figures that made them.
Even as warnings emerged that holiday shoppers need to remember their security in the real world as well as online, banks were being warned off of mobile SMS passcodes and some Android phone makers were contemplating the use of encrypted text messages for protection, others were considering the actual security risks of the mobile operating system – particularly as news emerged of an exploitable vulnerability in a widely used advertising framework integrated into hundreds of Android apps
The use of unauthorised digital certificates continues to be a recurring problem, with Google and other browser makers forced to revoke certificates issued by a French certificate authority attached to the country's Ministry of Treasury. Little wonder cloud-based user authentication, which puts more horsepower behind credential-verification efforts, is taking off.
Asia-Pacific privacy authorities were considering the use of privacy 'white lists' to improve cross-border action on privacy controls, while a survey of security executives revealed widespread agreement about the methods for translating IT security processes into business initiatives, while – speaking of business initiatives – a survey found that many organisations lack a plan to respond to DDoS attacks.
The US government will hold suppliers to a cyber-security 'baseline', according to a new report, while an Ernst & Young report suggested IT security was finally earning its place at the top executive tiers of business.
Malware authors were wasting no time, however, with a 64-bit version of 'Zeus' malware discovered and taken as a sign that malware authors were rushing to move their activities onto new technology platforms. And, while it was criticised for removing a feature providing tight control over app permissions in the latest version of Android, Google said it would stop blocking images in Gmail because it has developed a way to block against potentially dangerous images. Marketers, predictably, were excited about the change.
Meanwhile, one expert warned, five European foreign ministries could have contained the damage of Chinese hackers had they followed a few network security design principles. Russian police reported that they have the alleged creator of the Blackhole exploit kit in custody. There were still no leads, however, on the location of two stolen laptops containing the details of more than 840,000 American healthcare fund members.