The week in security: Ongoing hacks highlight partner, employee risks

Keen university students may want to apply for a global scholarship through (ISC)2, with Australia's only recipient saying it helped foster her interest in the information-security industry.

Even as Microsoft admitted its email had been hacked by the Syrian Electronic Army and Yahoo reset email accounts after admitting it had also been targeted in an email attack, Apple shared information about law-enforcement requests for information it holds on its customers.

The Pwn2Own hacking contest raised the kitty to $US645,000, while startup security vendor TrustSphere was pushing the benefits of messaging intelligence.

Even as Target alleged its high-profile hack was facilitated with credentials “stolen” from a vendor and the US Department of Justice was investigating the massive breach of Target security, there were warnings that the spate of retailer-targeted hacks was set to continue. Soon proving those forecasts right was the discovery of Tor-enabled malware that stole credit card data from POS systems at dozens of retailers.

Meanwhile, Coca-Cola admitted that an employee had 'borrowed' 55 laptops over a period of years without anyone noticing. Domain registrar GoDaddy owned up to its role in a Twitter account-hijacking incident, highlighting the fact that social engineering remains as much a threat as risks from external third parties. It's the sort of thing that requires eternal vigilance, with Asia-Pacific contractors more likely to be involved in data-security incidents than those in other regions.

Employers were also testing the extent of employee responsibility for data incidents, with a judge ruling that misuse of proprietary data alone isn't enough to violate the US Computer Fraud and Abuse Act (CFAA). Yet many CSOs will still be wondering just how punitive the response should be when an employee clicks on a malware-laden phishing email.

Meanwhile, hack target Snapchat was being criticised for failing to improve security enough in its response, while Android Jelly Bean and KitKat were hit with a VPN bypass vulnerability that highlights the continuing dominance of Android in the mobile malware arena. The lack of HTTPS use by mobile ad libraries was flagged as a particular concern in the mobile world, while popular FTP program FileZilla was being spoofed with a malware-laced version, while a new Java exploit targeted Linux and Mac users with a DDoS bot.

A Russian man pleaded guilty for authoring the SpyEye banking-fraud Trojan, while anonymous-email service Lavabit was crawling through the courts and a medical-transcription firm was nailed after inadequate security measures allowed patients' personal information to be leaked online.

Some analyses of the NSA's phone-surveillance program said it had aided government investigations, although one defendant in a court case launched a legal challenge against the Department of Justice's use of NSA surveillance.

The German government and its intelligence service are facing legal action for their complicity with the NSA's work – even as the agency appointed its first civil liberties and privacy officer and President Barack Obama appointed a cryptologist as the new head of the NSA.

Some were offering advice on network security management and how to deal with large DDoS attacks, while – even with reports suggesting an improvement in privacy attention] – there were fears that the convenience of pay-as-you-go cloud-computing services was [[xref:http://www.cso.com.au/article/537119/cloud_availability_trumps_security_concerns_when_it_comes_shadow_it/ about the spread of 'shadow IT'. Either way, it's important that organisations consider how they would respond to a data breach.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about AppleDepartment of JusticeLinuxMicrosoftmobilesNSAUS Department of JusticeYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

More videos

Blog Posts