Document sharing giant Scribd was hacked this week, with as many as 1 million passwords compromised. Little wonder security vendors have been changing their tack when it comes to the advice they’re offering, advising that security these days is about risk management and minimisation rather than absolute blocking.
This change in approach is a recognition that hackers and malware authors are getting smarter every day: for example, the latest attacks leverage a user’s browsing history to look more convincing, while others are targeting emergency centres with ‘TDoS’ attacks – telephony denial of service – targeting VoIP systems.
Another piece of clever malware monitors the infected system for mouse clicks, using them as a barometer of human interaction and hiding its own activity when there’s no clicking going on.
Mobile threats are equally problematic: a newly discovered piece of Android spyware appears to have targeted a prominent Tibetan political figure in an effort to figure out the user’s exact location. Another genre of malware, one-click-fraud apps, has also moved to Android. Little wonder the US Army is copping flak about its mobile-security program, which was panned in an Inspector General report that was subsequently pulled offline, then reposted as the Army protested its mobile-security credentials.
Facebook, sensing an impending privacy issue, posted a Q&A on its site about the privacy implications of its new Facebook Home software. And Harvard University was doing its own privacy soul-searching after revelations of additional secret email searches, while a privacy group was calling for changes in the CISPA cyberthreat sharing bill and privacy advocates locked horns with the California Chamber of Commerce over an evolving online privacy bill.
Asian governments are in the news as some in the US believe concerns about Chinese hacking justify limits preventing four government agencies from sourcing IT products from Chinese manufacturers. Also on the international front, two of Japan’s major Internet portals were hacked, compromising as many as 100,000 user accounts.
North Korea was reportedly hit by attacks and password leaks by hacking collective Anonymous. At the same time, the US and South Korea had joined forces to prevent North Korean cyberattacks, while Australian police charged an unidentified juvenile, and suspected Anonymous member, on hacking-related offences.
Better online controls will be crucial as online interactions become more sophisticated and important: online electronics retailer Bitcoinstore, for one, has seen enough success in its trial of bitcoins for payment that it will make the scheme permanent – clearly increasing the need for effective security protections. Such experiments may show promise for online currencies, but there were warnings that the implementation of Universal Credit could leave the public sector ‘vulnerable to fraud’. And, in separate rebuffs to bitcoin, hackers were able to compromise the database of bitcoin storage service Instawallet – even as the largest bitcoin exchange, Mt Gox, fought a DoS attack designed to manipulate the price of virtual currency and new malware for mining bitcoin was seen spreading online.
Sophos was urging customers to apply a security update for its Web Protection Appliance, while Russian firm Yandex launched a public DNS service with malicious URL filtering. Microsoft’s Patch Tuesday, this week, will address critical vulnerabilities in Windows 8 and Windows RT, while BlackBerry was spruiking the security credentials in its new platform.
Google has done its part to support the fight against mobile baddies by transferring the license for its 3LM security technology to mobile device management (MDM) vendor BoxTone, allowing that company to exclusively build out the 3LM technology. Samsung made its own MDM move, striking a deal with Absolute Software to challenge Blackberry Enterprise Server in the business market.
Organisations wanting to hire staff to help with their security processes may be wondering whether the myriad security certifications on the market are worth their salt. They need to be checked very carefully – particularly if organisations are to become intelligent contributors to national cybersecurity frameworks, as the US NIST has requested.
Even as a new spearphishing campaign targets energy companies, some enterprising organisations are building their own security capabilities, finding ways to repurpose old iOS smartphones as remote-controlled security cameras. Others may want to find security inspiration from the activities of Intel, which received top honours in the CSO40 awards for a big-data project that helps protect its information.