The week in security: CSOs want security-negligent CEOs jailed; Black Hat FUD returns

Australian CSOs blame CEOs and not users for problems in IT security, according to a new survey that also showed support for jailing executives whose failure to prioritise cybersecurity leads to a breach. Yet we need a broader approach to cybersecurity skills development all around to protect our economic future, Cisco Systems has argued in a response to the first-ever Australian Government Cyber Security Review. Skills deficits were even hitting high-level cybersecurity research organisations as companies continue to snap up anyone who can spell APT.

Even as telco T-Mobile was caught in an ad-injection war between two rivals and Yahoo was dealing with a large malvertising campaign on its network that had gone undetected for at least 6 days, several UK banks were hit with a DDoS attack. One former US government official was arguing that the situation has become bad enough that private companies should be certified to launch offensive strikes against cyber-attackers.

Either way, cleaning up the spoils of such cyber conflicts can take years to complete, one security expert warned. One Electronic Frontier Foundation effort is seeking to minimise the amount of data going into the mix by making a Do Not Track standard more meaningful than it currently is.

Some iOS users were encountering a tricky deceptive pop-up advising of an alleged crash report, while those considering an upgrade to the new Windows 10 were being warned about phony upgrade email offers and ransomware scams.

Meanwhile, the Black Hat hacker conference was gearing up as researchers and hackers alike prepared to scare us all with their new vulnerabilities and other discoveries. Among this conference's highlights were a way of infecting the firmware of Apple Macs even when they aren't connected to the network; a rogue Chinese VPN service that is actually commandeering users' computers] to join an APT botnet; a [[xref: on the dangers of ransomware; weaknesses in next-generation software defined networks (SDNs); a warning that Internet of Things (IoT) devices can be used to steal data (and, contemporaneously, the FDA's first official warning about the hacking of a medical device); ways to alter potentially life-saving messages on a satellite network; and a call for security researchers to fight for their right... to study. Security risks, that is.

Even as one well-known security developer warned that encryption is largely useless, attackers began exploiting a flaw in the widely used BIND software, while others were exploring the use of file-sharing services as a covert way of controlling hacked computers. Hackers were also looking at ways of using Internet route hijacking to get fraudulent HTTPS certificates, while one researcher said hackers were exploiting an OS X Yosemite vulnerability that is being used to plant adware on Macs and another called for calm about the seemingly virulent new Mac vulnerabilities.

As US authorities readied for a vote this week on the controversial CISA bill regarding cybersecurity threat information sharing – and then delayed that vote – the US Department of Homeland Security was warning about the privacy implications of the bill.

Yet even that legislation is nothing compared with actions by Chinese authorities to embed Internet police within the largest online firms in that country. Also on the geopolitical stage, tech industry lobbyists were objecting to a section in US legislation that would require reporting of terrorist activity. Ironically, former HP CEO Carly Fiorina – now a US presidential hopeful – was arguing that Apple and Google should provide better access to user information for law-enforcement efforts.

Tesla was patching its Model S and hired a new security head after hackers figured out how to take control of its vehicles, while reports suggested that high-level US administrators had been targeted by Russian hackers.

ICANN was resetting user passwords after a breach of its Web site security, even as some argued that organisations should focus on data sharing after an incident rather than playing the blame game.

The head of bug-bounty firm Bugcrowd was offering some opinions about vulnerability disclosure efforts, while the CISO of Harvard University offered some useful IT security tips.

Google announced plans to increase the frequency of regular security fixes for its Android devices; ironically, hackers were said to be exploiting vulnerabilities in remote-support tools to hack those same devices. With such reports coming thick and fast on a regular basis, it's hard to accept some claims that Android vulnerabilities could be a blessing in disguise.

Join the CSO newsletter!

Error: Please check your email address.

Tags ICANNcybersecurityBIND softwareiOS usersblack hatmalvertisingIT SecurityWindows 10telco T-MobileBlack Hat FUDChinese VPNChinese authoritiescyber-attackersAustralian Government Cyber Security ReviewRussian hackersOS X Yosemite vulnerabilityCSO Australiasecurity-negligent

More about AppleAPTCiscoElectronic Frontier FoundationGoogleHarvard UniversityHPICANNMacsTeslaT-MobileYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place