The week in security: Android phones under siege, smartwatch security under fire

Investments in security research could be threatened by new laws criminalising exports of cryptographic technology, an Australian Defence Force cybersecurity executive has warned. Yet other areas are progressing smoothly, such as an RMIT-CA Labs research project that received backing from the Australian Research Council to explore development of methods of user authentication that persist throughout the user's session.

Even the best authentication, however, won't do anything to stop the latest malware innovation that's making Android phone owners sweat: a vulnerability called Stagefright is claimed to allow attackers to hack any Android phone simply by sending a specifically formatted MMS message to the target. As if that wasn't scary enough, researchers warned that MKV video files designed can crash Android phones if designed in a certain way.

It's enough to make you want to downsize to a smartwatch – although new research from HP suggests that even that's not a great idea, with a research report suggesting that 100 percent of smartwatches suffer from security flaws. The same goes for a particular model of safe, which can be hacked with just a USB memory stick containing around 100 lines of code. Also on the security-flaws side this week, Xen patched a new vulnerability that would allow attackers to bypass the controls keeping them inside virtual machines.

Those sorts of problems are likely to mean big payouts from a new vendor that is working to outbid Google in paying hackers who discover new flaws in the Chrome browser. That's likely to push up prices for new exploits, but the number of problems discovered could potentially be limited – as will many other areas of the IT security industry – by ongoing workforce shortages in the cybersecurity market, one jobs board is warning.

One organisation with no lack of hackers is Black Vine, which hacked US health-insurance company Anthem last year – and, by some reports, hacked United Airlines – and has been described in Symantec research as being capable, well-organised professionals. Also enjoying success in leveraging security skills is security vendor ESET, whose Australian growth has been so strong that it has attracted attention at a global scale.

A data breach at the US Census Bureau had some worried that confidential personal information might have been breached, but the agency insisted that it had not. That's some consolation for citizens of a government that has been leaking – and collecting – personal data lately; its NSA snooping arm, however, will lose access to 'historical' phone surveillance data at the end of November.

Other organisations are jumping to collect large volumes of data, however, and with big-data tools increasing in power this is only going to increase. It's important, however, to consider the business context for analytics investments when shaping new data-driven environments. It's also important, one study of the behaviour of security experts vs security non-experts found, to foster three key behaviours that can boost security amongst non-technical users. One of those, of course, is patching – something we could all get better at, if a new survey on users' updating of Windows and other applications is any guide.

Some privacy advocates were ramping up their lobbying of US president Barack Obama about their concerns that too laws to encourage sharing of cyberthreat information would result in the sharing of too much personal information. Also in US politics, several senators were spooked by last week's Jeep Cherokee hack and began calling for an investigation into the potential safety and security threats of connected cars.

Yet other areas of industry are continuing to be hacked with some regularity: several Hacking Team exploits were used to attack Hong Kong and Taiwan-based media and news organisations. A new denial-of-service related DNS flaw could, researchers warned, disrupt the Internet for many users. And, as FUD for thought, researchers developed a Web-based attack that could attack a computer's DRAM.

Meanwhile, Google allowed users to bring their own encryption keys to lock up their data on its Compute Engine cloud service. The company was also telling publisher partners to play nice and conform with a EU directive about the proper use of cookies, even as the company's Google Drive service was targeted with a phishing scheme designed to harvest user credentials. No wonder the EU's privacy head was voicing concerns about data-protection reform.

Join the CSO newsletter!

Error: Please check your email address.

Tags android phonescybersecuritycryptographicsecurityRMIT-CA LabsAndroid phonesmartwatchCSO Australia

More about Australian Defence ForceAustralian Research CouncilCherokeeEUGoogleHPNSARMITSymantecUnited Airlines

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Doesburg and David Watson

Latest Videos

More videos

Blog Posts