The week in security: Google fights app malware, long-term PCI compliance plummets

Government requests for Facebook continued to grow in the second half of 2014, the company's latest transparency report has confirmed. And, speaking of transparency, some vendors were worried by findings by Verizon that 80 percent of PCI DSS-compliant firms fail to stay compliant in the year after their certifications – leading some to push the PCI Council to accept software-based encryption as well as the current hardware-based encryption it requires.

Such capabilities may become more frequent as Verizon talked up the role of managed security services in building out online security as it expanded its ANZ cloud capabilities. Customers will want to bring in the security and compliance big guns through cloud services as health records become particularly juicy targets for hackers.

Even as Pinterest turned on HTTPS for its Web site and kicked off a bug-finding campaign with crowd-debugging firm Bugcrowd, Yahoo published the source code for its email encryption plug-in for public review, and was working on an SMS-based method of killing the password – although not everyone was convinced the latter move would replace two-factor authentication.

The US government announced that it wants to add HTTPS to its public-facing Web sites within two years, while discussions about data retention included the point that the private sector could offer a lot to the conversation. Telstra is certainly getting involved, arguing that it still hasn't figured out how much data retention will cost as the importance of privileged account controls was raised during an industry panel session.

EU Parliamentarians were visiting the US to talk about the challenges of data protection and mass surveillance, even as a proposed US data breach notification bill was criticised for being too weak.

Legislation is only one part of the security puzzle, however: corporate culture is also essential, and some were noting that corporate cultures were holding back growth in the adoption of cyber insurance. Corporate culture – and a surplus of security standards to follow – was also causing problems in the boardroom as business leaders struggled to identify the best way forward. Many executives are so caught up fighting the big-name hacks that they don't even notice the surge in problems caused by internal users.

Analysis of the high-volume Premera and Anthem data breaches suggested the hacking methods used against the two were quite similar and were probably the result of espionage.

Meanwhile, researchers identified 13 new Android adware apps on the Google Play app store as others pointed out that hundreds of Android and iOS apps are still vulnerable to the FREAK security hole.

Little wonder the Google Play app review process has been enhanced by adding humans to the approval process – which was struggling repeatedly as a security firm found Google Play's new app checkers were being bypassed by aggressive adware apps.

Twitter was adding its own human touch, adding a tool that allows users to report offensive or threatening tweets to the police. Given that a survey found users hate the lack of privacy controls on the Internet, the threat of more rapid reporting may prove to be a deterrent to some antisocial behaviour by outside hackers.

Yet companies also love their privacy: Cisco Systems, it was revealed, sometimes ships customers' gear to unrelated addresses so as to stop the NSA from intercepting it and installing back doors. That's one small step towards security, although any gains Cisco made may be counterbalanced by the discovery that more than 700,000 ADSL routers given to customers by ISPs have serious flaws allowing them to be taken control of by remote hackers.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags hackersit vendorsEU ParliamentariansverizonANZ cloud capabilitiesapp malwareFacebookPinterestCisco SystemsGoogle Playsecurityencryptiongovernmentus governmentPCI compliance plummetsCSO Australia

More about CiscoCSOCustomersEnex TestLabEUFacebookGoogleNSAVerizonYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place