The week in security: Moving on Internet of Things security, lagging elsewhere

Malware authors are proving increasingly successful at seeding fake Google Chrome extensions on Facebook. Appropriate, then, that Facebook launched a platform called ThreatExchange in which users can share information about security threats with their friends.

Cloud-storage firm Box patched a bug in its Mac client application after it was found to be exposing sensitive data; citing similar concerns about Box rival Dropbox, the University of Liverpool began using a different file-sharing system in an attempt to rein in the exposure to Dropbox security concerns. Yet there was no way to patch another exposure of sensitive data, with a security researcher releasing 10 million usernames and passwords collected from data breaches over the last decade.

Yet that wasn't the worst of it: a group of students claim they had uncovered some 40,000 MongoDB instances running unprotected online – including one that they say contains 8 million customer records belonging to a French telecommunications company. Even US governor and presidential hopeful Jeb Bush was getting in on the action, with a mass email dump putting the personal information of his constituents online – and revealing a bunch of viruses in addition.

The acquisition of an Internet of Things (IoT) security specialist by chip maker ARM highlighted the industry's push to secure IoT from the get-go; ditto reports that increased shipments of biometric security components are suggesting increasing saturation of the technology in a range of devices. Concerns about smarter but insecure cars – made by manufacturers that some say are taking a “haphazard” approach to security – are also putting some people on edge.

Gartner agreed that IoT makers undervalue security. Fears are so high that a group of US senators is already pushing for privacy and security legislation around IoT. Not one, but two different bills have now been introduced to manage the IoT threat.

Yet IoT elements are far from the only devices getting scrutiny: there were claims that Samsung's smart TVs may be listening to personal conversations – quickly refuted by Samsung – as well as concerns that Advantech industrial controls were vulnerable to a remote code-execution vulnerability, and worries about the potential scope of healthcare data breaches as US states pushed recently-hacked healthcare insurer Anthem to quickly provide information about the hack to its customers.

Twitter reported that the volume of government data requests increased by 40 percent between the first half of 2014 and the second half. The EU Parliament blocked use of Microsoft's new Outlook applications because of what was termed “serious security issues”. Also on the attacks front, ransomware authors were streamlining their attacks as infections continued to rise.

The Australian government was tackling issues of its own with the tabling of legislation that would create a new Children's e-Safety Commissioner charged with policing potentially problematic online content. And, for its part, the US government was creating a cybersecurity agency designed to monitor online threats and fill in an information gap by sharing data about attacks amongst government departments.

Such proactivity is going to become increasingly common as state-sponsored attacks continue to rise – a new study found that China was behind the most state-sponsored attacks in 2014 but most were targeted at Vietnam, not the US. Even the Netherlands was feeling the pinch after a massive DDoS took its government sites offline for 10 hours.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Upcoming IT Security Events

Read more: Three adware-serving Android apps on Google Play reach millions

March 3rd, March 5th, March 9th 2015

Join CSO for the day@#csoperspectives and hear from @kimzetter @LeviathanSec

3 International Keynote speakers, 36 Key IT Security Industry Speaker, 21 Exhibitors, Security Analysts and many more.. Register today

Dont miss one of the biggest IT Security events in ANZ (registration is free, but seats are limited)

Join the CSO newsletter!

Error: Please check your email address.

Tags NetherlandsMalware authorsGoogle ChromeMac clientgovernment dataAustralian Governmentcloud-storage“haphazard”samsungdata breachesJeb Bushhacker threatsInternet of Things (IoT)securityThreatExchangetwittersecurity specialistCSO Australiadropbox

More about ARMBushCSODropboxEnex TestLabEUFacebookGartnerGoogleIT SecurityMicrosoftSamsung

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place