The week in security: Infidelity, driving no longer as safe as they used to be

Tongues were wagging all week about the hack of infidelity-facilitating site Ashley Madison, whose customer database and profiles were stolen and threatened with release by hackers who were angry with the company's ineffective account-deletion policies. The hack looked set to demolish the company's dreams of a London IPO.

The hack sparked a broader discussion about the true effectiveness of data-deletion policies and IT companies' ability to protect personal information online. Some warned that many sites don't hide the fact that a particular user is registered with them, which got a further blow after a US judge ruled against Facebook's efforts to challenge the constitutionality of search warrants served on its users. Similarly, a French court ruled that new surveillance laws are constitutional.

Executive awareness of the need for IT risk management has surged in the past year, according to new Gartner figures. But one security expert was warning that businesses need to stop weighing the risk of cyberattacks to their business based on their company profile, since greater automation in the attack process means many hackers have no idea what company they're penetrating until they get through.

Interestingly, many IT security teams are already spending too much time and money fixing self-inflicted problems rather than fighting external threats, according to a survey of Black Hat conference attendees (little wonder, with new warnings suggesting non-technical users still don't understand data security). There is no lack of the latter, however, with a new bug in the OpenSSH library allowing attackers to bypass restrictions on the number of password retries allowed for incoming users. DDoS attacks pose another challenge, with the severity of such attacks surging in the latest Australian survey. Some companies even have to deal with accidental interference from their own government, as happened during a Belgian government phishing test.

Cyberespionage groups have been reaping the rewards of another high-profile hack, that of hacking group Hacking Team, whose cache of exploits has been carefully scrutinised and led to, among other things, Microsoft issuing an out-of-band update to patch a Windows zero-day affecting numerous versions of Windows – including the as-yet-unreleased Windows 10 (which, by the way, will be getting much quieter security updates than we're used to). One documented piece of Android malware was said to be able to hack 500m android devices. One former Hacking Team partner even stopped selling zero-day exploits on ethical grounds, but not everything about the Hacking Team leak was good news, however, as a South Korean intelligence officer who used the group's software was found dead in an apparent suicide.

Meanwhile, some were contemplating the true complexity of next-generation endpoint protection – particularly in the wake of the high-profile hack of a Jeep Cherokee that prompted a 1.4m-vehicle recall and drove the US Senate to propose a cybersecurity standard for cars. The UK is already tackling the issue, by the way – which is probably a good thing, since some warn that firewalls can't protect the cars and the hackers responsible for the Jeep hack say they could do the same thing to 'hundreds of thousands' of other vehicles.

Security-software firm Malwarebytes began blocking some file-torrent sites, citing security concerns, while the online advertising industry was kicking off a fresh effort to fight click fraud – even as Google found itself racing to stamp out a wave of Android apps that pretend to be games but secretly click on advertisements on pornographic Web sites.

Even as one local solutions provider praised the “incredibly innovative” efforts of ANZ government bodies in improving security, Microsoft was said to be paying $US320m ($A440m) to acquire cloud-security specialist firm Adallom in a move expected to reinforce the company's cloud-computing credentials. Google criticised proposed tighter controls on exporting intrusion software, arguing that it would compromise security research.

As has been common lately, Internet of Things (IoT) security was also in the news, with Blackberry buying IoT-security firm AtHoc even as an HP study said smartwatches could do better on data protection. Yet IoT security is, by reports, causing headaches for equipment makers who blame Apple's onerous security requirements for delays in releasing HomeKit-compatible security devices.

Read more: How to Stop Stegoloader and Other Types of Digital Steganography Malware

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags cyberespionagehackedleakeddatingOpenSSH libraryInfidelityAshley MadisonCSO Australiacybercrime

More about AppleCherokeeCSOEnex TestLabFacebookGartnerGoogleHPMalwarebytesMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts