The week in security: AFP arrests LulzSec hacker, security arresting BYOD planning

Security researchers were surprised to discover that the malware baddies had gone to the unprecedented effort of creating an entirely new online advertisement distribution network, called BadNews, which burrowed its way through Google Play’s security defences by laying dormant for weeks before distributing malware millions of times by sending fake update notifications.

Little wonder security experts are warning that Android’s “fundamentally broken” security model is making bring your own device (BYOD) strategies too risky to be considered; news that Samsung has delayed its Knox Android security software can’t help either.

On a similar note, some companies are revisiting their BYOD policies to ensure they don’t get hit with lawsuits from employees who feel their privacy has been violated by BYOD security controls. Even giant telco BT is “struggling” with the trend. You DO have a BYOD policy in place, right? As shown by the Australian Federal Police arrest of a 24-year-old IT security specialist alleged to be a key member of the LulzSec hacking group, effective management of security teams is critical. Does your company understand business goals in a security context, and is your security team flexible enough to quickly and positively respond to criticisms? Not all are, and some warn that lack of flexibility may be an indicator of worse things to come as good security talent becomes harder to find.

Also an indicator of worse things to come are figures from Verizon’s latest cyber-security report, whose findings include nuggets such as that one in five data breaches are due to cyberespionage and that China continues to dominate as a source of the attacks. Meanwhile, an Islamic hacktivist group continues to hammer US banks and other financial services companies with DDoS attacks. Clearly, we have a lot of work ahead of us – especially since statistics suggest we are being hit on the same TCP/IP ports, over and over again. Perhaps there is value in learning from crowd-sourced attack data, as implemented by new tools from security firm Imperva. Companies managing users’ data need to be vigilant about how it’s collected, with Apple spelling out its privacy policy for data collected using its Siri voice assistant and the German government fined Google $US190,000 ($A185,000) for gathering a variety of information from unprotected WiFi networks using its Google Street View cars. Coincidentally, Microsoft has launched a new campaign to fete its privacy credentials, with the catchphrase “your privacy is our priority”. Perhaps the UK Inland Revenue department could take note, after revelations it accidentally misdirected 201 emails to the wrong people.

Yet not all parties love better privacy controls: Mozilla is copping flak from advertisers for allowing Internet users to opt out of behavioural tracking. Also fingered in privacy controversy is the Google Glass augmented-reality glasses, but CEO Eric Schmidt stepped in to point out that the wearable computer is still a year away from release. That gives privacy lobbyists more time to build up their arguments around the technology’s privacy implications – as they have done around the UK’s so-called ‘Snoopers’ Charter’, which was dumped after concerns – although a tepid response to the progressing Cyber Intelligence Sharing and Protection Act (CISPA), which itself seems doomed to fail, suggests they need to improve their organising capabilities first.

Perhaps they need not fear having nothing to rally people around: the US Department of Homeland Security (DHS) is reportedly preparing a more powerful version of its EINSTEIN intrusion-detection system that uses deep-packet inspection to detect malware attacks and stress out privacy advocates all in the one go, even though a US Senate committee has approved legislation to protect citizens from government surveillance of cloud-hosted data. Yet even as a US judge supports privacy by rejecting an FBI request to hack the computer of a suspected cyber-criminal, privacy advocates are already up in arms over proposed changes to European data protection laws, which they say would strip citizens of their privacy rights. That gels with the mission of Adobe Systems’ first CSO, Brad Arkin, whose first priority is the security of the vendor’s hosted services. He couldn’t be more timely, with warnings that hackers are increasingly targeting shared Web hosting servers as launching pads for mass phishing attacks.

New Boeing technology promises to unify business IT networks with traditionally-separate industrial-control systems, while new malware is showing the risks of too much access by targeting Dutch Twitter users with malware that hijacks their accounts and sends dangerous links. The hijacking of the Associated Press Twitter account reinforced the need for better authentication – and Twitter obliged with acknowledgement that it’s working on a two-step authentication solution in a trend that’s set to become more common as users learn more about it and vendors release new solutions.

A serious flaw in the latest Java Runtime Environment is said to affect desktop and server versions of the code, while security firm FireEye says cyber-spying tool Gh0st RAT is still being used in stealthy malware attacks and malware from the Operation Beebus cyberattacks is still proving to be active.

The cybersecurity threat is getting so bad that the UK government is offering small businesses £5000 ($A7531) to improve their cyber security by hiring outside security consultants. Australian startup Bugcrowd has tried another tack, negotiating continuing professional education (CPE) points for security professionals who participate in communal bug-finding competitions, which are bringing new legitimacy and scale to penetration testing. And HP, for its part, has designed a course to help business students get on top of technical issues around cloud computing, big data, security and other network issues.

Amazon is also working to get on top of those issues, with the company looking at moving security appliances to the cloud. That can’t hurt the perceptions of those who are assessing the risk of cloud solutions before considering a move.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about Adobe SystemsAdobe SystemsAmazon Web ServicesAppleAustralian Federal PoliceBoeing AustraliaBT AustralasiaCSOFBIFederal PoliceFireEyeGoogleHPImpervaInland RevenueMicrosoftMozillaSamsungVerizonVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

More videos

Blog Posts