The week in security: Android phones under siege, smartwatch security under fire

Investments in security research could be threatened by new laws criminalising exports of cryptographic technology, an Australian Defence Force cybersecurity executive has warned. Yet other areas are progressing smoothly, such as an RMIT-CA Labs research project that received backing from the Australian Research Council to explore development of methods of user authentication that persist throughout the user's session.

Even the best authentication, however, won't do anything to stop the latest malware innovation that's making Android phone owners sweat: a vulnerability called Stagefright is claimed to allow attackers to hack any Android phone simply by sending a specifically formatted MMS message to the target. As if that wasn't scary enough, researchers warned that MKV video files designed can crash Android phones if designed in a certain way.

It's enough to make you want to downsize to a smartwatch – although new research from HP suggests that even that's not a great idea, with a research report suggesting that 100 percent of smartwatches suffer from security flaws. The same goes for a particular model of safe, which can be hacked with just a USB memory stick containing around 100 lines of code. Also on the security-flaws side this week, Xen patched a new vulnerability that would allow attackers to bypass the controls keeping them inside virtual machines.

Those sorts of problems are likely to mean big payouts from a new vendor that is working to outbid Google in paying hackers who discover new flaws in the Chrome browser. That's likely to push up prices for new exploits, but the number of problems discovered could potentially be limited – as will many other areas of the IT security industry – by ongoing workforce shortages in the cybersecurity market, one jobs board is warning.

One organisation with no lack of hackers is Black Vine, which hacked US health-insurance company Anthem last year – and, by some reports, hacked United Airlines – and has been described in Symantec research as being capable, well-organised professionals. Also enjoying success in leveraging security skills is security vendor ESET, whose Australian growth has been so strong that it has attracted attention at a global scale.

A data breach at the US Census Bureau had some worried that confidential personal information might have been breached, but the agency insisted that it had not. That's some consolation for citizens of a government that has been leaking – and collecting – personal data lately; its NSA snooping arm, however, will lose access to 'historical' phone surveillance data at the end of November.

Other organisations are jumping to collect large volumes of data, however, and with big-data tools increasing in power this is only going to increase. It's important, however, to consider the business context for analytics investments when shaping new data-driven environments. It's also important, one study of the behaviour of security experts vs security non-experts found, to foster three key behaviours that can boost security amongst non-technical users. One of those, of course, is patching – something we could all get better at, if a new survey on users' updating of Windows and other applications is any guide.

Some privacy advocates were ramping up their lobbying of US president Barack Obama about their concerns that too laws to encourage sharing of cyberthreat information would result in the sharing of too much personal information. Also in US politics, several senators were spooked by last week's Jeep Cherokee hack and began calling for an investigation into the potential safety and security threats of connected cars.

Yet other areas of industry are continuing to be hacked with some regularity: several Hacking Team exploits were used to attack Hong Kong and Taiwan-based media and news organisations. A new denial-of-service related DNS flaw could, researchers warned, disrupt the Internet for many users. And, as FUD for thought, researchers developed a Web-based attack that could attack a computer's DRAM.

Meanwhile, Google allowed users to bring their own encryption keys to lock up their data on its Compute Engine cloud service. The company was also telling publisher partners to play nice and conform with a EU directive about the proper use of cookies, even as the company's Google Drive service was targeted with a phishing scheme designed to harvest user credentials. No wonder the EU's privacy head was voicing concerns about data-protection reform.

Join the CSO newsletter!

Error: Please check your email address.

Tags android phonescybersecuritycryptographicsecurityRMIT-CA LabsAndroid phonesmartwatchCSO Australia

More about Australian Defence ForceAustralian Research CouncilCherokeeEUGoogleHPNSARMITSymantecUnited Airlines

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Doesburg and David Watson

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts