​The week in security: Apple-FBI encryption stoush dominates RSA; Aussie execs less hands-on than APAC peers

Encryption continued to dominate the news agenda as a report found it was hugely important as a compliance tool, even as Apple – testifying before Congress about the FBI's request for help to unlock a terrorist's iPhone – said complying with the order would be an “undue burden”. Lawmakers weighed the possibility of copying the target iPhone's memory to allow investigators to keep trying unlock codes until they hit the right one, while Apple reinforced the importance of encryption as a “necessary thing” as it stuck to its refusal to help the FBI create what some have labelled the security industry's first security 'front door'.

Lending weight to Apple's arguments, a New York judge struck down a previous order for Apple to extract data from an iPhone in a separate criminal case. The FBI-related case also became a little cloudier when the organisation's director admitted it was a mistake to ask San Bernadino County administrators to reset the password of the terrorist's iCloud account. And, in a similar case, Brazilian authorities arrested a Facebook executive after allegations that the company's WhatsApp had ignored a drug-related court order.

The escalating Apple-FBI dramas were a rich backdrop for conversations as executives speaking at the RSA Conference in the US weighed in on the debate and said that encryption backdoors were only useful against petty criminals. Top security researchers were united in their opposition to back doors, while the NSA asked technology giants to help it fight cybercrime and terrorism. A US Attorney General's office spokesperson said it was possible to stay safe even with back doors into encryption tools, while one well-known security researcher said – even as Apple formally appealed the iPhone unlocking order in question – that Apple chose the wrong case in which to make its stand against encryption backdoors.

Even as security duo Diffie & Hellman won the 2015 ACM A.M. Turing Award for their 1976 work introducing public-key encryption and digital signatures, a new security standard for encrypted voice and video, called Secure Chorus, was launched at the Mobile World Congress after intensive development efforts led by the UK's GHCQ. This standard should hopefully deliver better security than the TLS vulnerability that affects one in three HTTPS-capable Web servers and is, for some researchers, proof positive of why you shouldn't weaken encryption.

Also at RSA, there were also claims that widespread use of geolocation has killed privacy and that artificial intelligence will play an increasing role in security leadership. There were also discussions about the ability of application morphing to deliver endpoint security and concerns about the liability around Internet of Things (IoT) security, which took yet another hit as an analysis using new open-source testing tools found serious vulnerabilities in more than a dozen wireless routers and access points. On the same lines, Cisco issued a critical patch to remove hardcoded credentials from its Nexus switches.

A Telstra survey of Australian businesses found that Australian executives are less involved in security strategy than their counterparts in other APAC countries. This could create problems both in strategic terms and in the context of phishing attacks – specifically whaling, in which scammers employees into releasing information or financial transactions by masquerading as the boss via email. Most recently, some employees of Snapchat were tricked into sending confidential information to attackers who pretended in an email to be company CEO Evan Spiegel.

Highlighting the industry's ongoing efforts to bolster their security response, IBM bought Resilient Systems while Service-response provider ServiceNow launched a security response-management bundle based on its internal service technologies. Next-generation endpoint security tools were said to be ready to replace antivirus software but some security tools work better than others at stopping malicious outbound communications, according to new testing.

DDoS-blocking efforts at Akamai expanded its global network of DDoS 'scrubbing centres' by opening a new facility in Sydney, its seventh. Microsoft added a Windows 10 feature designed to bolster the platform's security, while Verizon expanded on its seminal Data Breach Investigation Report (DBIR) with a complementary Data Breach Digest outlining 18 real-world security breaches.

These bolstered capabilities came none too soon as new CTB-Locker ransomware hit over 100 websites and there were suspicions that high-profile hacking group Hacking Team had developed new Mac OS X surveillance malware. One group of researchers said malvertising software they were analysing had proved hard to pin down, although in an interesting twist it appeared that the crafty cybercriminal groups writing this type of code were running into their own issues finding enough security talent.

Read more: Most cybersecurity breaches go unreported, uninsured despite executive concern: Barclays

Join the CSO newsletter!

Error: Please check your email address.

Tags iCloudencryptionApple-FBIrsaCSO Australia

More about APACAppleCiscoFacebookFBIMicrosoftNSARSAServiceNowSpiegelVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place