The week in security: IT executives forced to implement insecure systems

Users of cloud applications are several times more likely to engage in behaviours that compromise password security, according to a new study of user habits. Yet that's not the only piece of bad news on the applications front: new research from Trustwave suggests that a large proportion of IT professionals are being pressured to implement new technologies even when they don't have the resources to secure them effectively.

Some security advisors were warning that IT professionals should skill up on the emerging Bitcoin economy, while an analysis of the Pastebin Web site showed that some 311,095 user credentials were posted to that site alone last year.

Concerns over the NSA's online surveillance have reached the highest levels, with French and German authorities reportedly discussing ways to keep European email away from US servers. In a related effort, UK privacy advocates are increasingly concerned about the pending introduction of a National Health Service database that automatically extracts patient records from GPs' computer systems.

They may be right to be worried: healthcare data was the most commonly stolen data in US data breach incidents during 2013, according to new figures from the Identity Theft Resource Center. Such threats should prompt many companies to check their handling of internal threats, experts warn.

Experts were also warning governments to prioritise protection of energy-sector companies from security breaches, while Hackers developed an exploit for the vulnerability targeted by the recently discovered Linksys router worm, while Belkin fixed a WeMo security hole that could give hackers access to home appliances.

Others developed a way to bury a crucial component of the Zeus banking malware within a digital photo. Also on the banking front, Visa was promoting the security of the Europay MasterCard Visa (EMV) chip-card security, which is only now being implemented in the US.

Meanwhile, the high-profile Syrian Electronic Army compromised the news Web site of Forbes and published the names, email addresses and encrypted passwords of more than 1 million users. Zeus was spotted scouring for sensitive data, promising likely new additions to a new database of worldwide data breaches that was launched by SafeNet.

The continuing success of hackers in breaching various targets – including the continuing assault of advanced persistent threats (APTs) and the revelation that iOS apps are even riskier than Android apps, despite a surge in malware-infected Android apps in the Google Play store and revelations cheap Android phones are particularly malware-vulnerable – has led vendors to try new techniques to give their customers a fighting chance.

McAfee is among the latest aiming to do so, with a new enterprise security package designed for fast threat detection and response. At the same time, another batch of startups are aiming to safeguard mobile devices and cloud applications. And Cisco Systems, for its part, fixed a number of problems enabling unauthorised access and DoS flaws in some of its products.

Yet better security isn't all that complicated, according to one analysis that suggests simply changing user rights from 'administrator' to 'standard' access would have hobbled 90 percent of the Microsoft-based critical vulnerabilities reported last year. Whether or not that includes an unpatched IE bug that one researcher claims is being exploited by two hacker gangs, is not yet clear.

There are new threats on the horizon: according to one report, European cyber-criminals are moving away from traditional SMS fraud towards 'chargeware'. A UK gaming firm was hit with a £45,000 ($A84,000) fine after using a deceptive Pac Man game to trick users into accessing high-charged SMS services. All this, amidst growing signs that cyber criminals are targeting mobile devices by region.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about Belkin AustraliaCiscoCiscoGoogleLinksysMcAfee AustraliaMicrosoftNSASafeNetSalesforce.comTrustwaveVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place