The week in security: NSA pushes security rethink as world hit by Shellshock

Australia earned the dubious honour of being the country most targeted by phishers – and that's saying something given that it happened in a climate where the overall level of data breaches is continuing to rise. Even malvertising authors were upping their game, digitally signing new samples in an effort to bypass detection by antivirus scanners.

With executives getting smarter about IT security, the smarter malware seems to be driving many companies to defer new business initiatives as they focus more on security. Yet they may run into other problems down the track, as security skills are becoming harder to come by – in the public sector because budgets aren't stretching to match private-sector rates, and in general because while students indicate they are interested in cybersecurity careers their schools aren't giving them the right foundations.

That's troubling news for a sector that is seeing a growing number of encryption users – and the practice has earned the ire of government types as senior officials warned that widespread use of encryption could compromise investigations. Along similar lines, a former NSA director was calling for a new cybersecurity model to deal with increasingly sophisticated attackers. The FBI apparently agrees, and moved towards releasing its Malware Investigator tool to the public in a novel crowdsourcing push.

Even as attacks against the Shellshock vulnerability continued and an improved patch for the vulnerability emerged, researchers continued evaluating the potential attack surface of various systems and found that a typical voice over IP (VoIP) phone system could be compromised using the vulnerability.

Exploits began to appear even as NAS maker QNAP, Cisco, Oracle and other companies realised that dozens of their products were vulnerable, while payment providers were also concerned and researchers confirmed that VPN servers running OpenVPN might be exposed to Shellshock.

Other researchers were weighing the exposure of Mac OS X even as Apple released its own patch for the vulnerability and researchers suggested other forms of defence against the flaw.

Speaking of software vulnerabilities, Rackspace was warning customers about an impending reboot related to an effort to patch a flaw in Xen software that was made public by the Xen Project days later. IBM's SoftLayer cloud company was caught on the back foot, starting its remediation 15 hours after the bug was made public.

General Motors was also worried about software vulnerabilities, appointing its first head of cybersecurity to ensure that the overall security isn't compromised by the increasingly complex systems being put into cars. And Apple seems to have been forced to do its own debugging, of a sort, after the Chinese government demanded the company make some security tweaks to reported flaws before it finally cleared the iPhone 6 for sale in that country.

Facebook's moves to capitalise upon its collection of private information for advertising raised eyebrows in privacy-conscious Germany – part of a region that one security vendor says “ could be the most strict in the world” – while a Pakistani software executive has been indicted in the US for selling a product called StealthGenie that let users monitor communications on someone else's mobile phone. There was no indictment, however, of Chinese malware authors that one security company allege developed iOS malware for targeting at Hong Kong protesters.

Read more: Developing a successful mobile authentication strategy

Yet effective attacks don't necessarily have to be so tricky: use of simple tools can make hacks against industrial systems relatively simple, a recent security conference was told. With cloud computing adding other new attack vectors, it has perhaps never been more important for organisations to get their security stories straight.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags directors for CSO AustraliaPakistani softwarensaIP (VoIP)Mac OS XIT SecurityCSOcybercriminalscloud computingsmarter malwareEnex TestLabdata breachesgermanyChinese governmenthackssecurity skillsCSO Australiasecurity storiesShellshock

More about AppleCSOEnex TestLabFacebookFBINASNSAOracleQNAPRackspaceVoIP

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place