Commemorations of Privacy Awareness Week included some high-profile pronouncements from Australia’s Privacy Commissioner, who has made it his goal to educate Australian businesses about their new obligations under privacy laws that will change in March 2014. This, on the back of survey findings that suggest 59% of Australian companies are still unaware of the impact and responsibilities of those new laws. With penalties promised in the six and seven figures, ignorance may most definitely not be bliss in this case.
Interestingly, although the European Union gets the lion’s share of attention for its privacy regime, one privacy expert has given Australia’s emerging privacy regulations the thumbs-up and suggested that IT managers keen to improve corporate privacy may find much to emulate in the behaviour of 17-year-old girls. Another option is to look into novel ideas like self-detonating data, which promises a new twist on the old Mission Impossible “this message will self-destruct in five seconds” meme.
One of the recurring stories in the security world is the lack of suitably certified skilled security staff. Education body (ISC)2 took another step to address this with a new certification, jointly developed with the Cloud Security Alliance and designed to formalise cloud-security training and certification. That adds a human element to complement industry efforts, such as Trend Micro’s launch of new services to protect Amazon Web Services (AWS) cloud-hosted servers. Virtual servers may help boost security, a new Gartner report suggests, while Samsung’s new Knox security and management software have been judged secure enough to be used on the US Department of Defense network. Even telecommunications carriers are being tipped to join the fight as content-aware defences add a new line of defence for bring your own device (BYOD) programs.
Security attacks can come from anywhere – printers, routers, and even that van parked outside your house, as Spain’s Interior Ministry found after investigating a man suspected of recently participating in a large DDoS attack. Turns out old vans can be used to support DDoS just as easily as old network protocols abused to launch them.
That’s not the only thing authorities are finding: a new detector can find mobile phones even without batteries or SIM cards. Also posting surprising findings is online gaming service ESEA, which admitted to using spare graphics processing unit (GPU) cycles in its clients’ computers to mine bitcoins without their knowledge. Also on the bitcoin front, an effort to improve US and Canadian citizens’ access to bitcoins has turned into a $US75 million ($A72.7m) lawsuit.
Meanwhile, McAfee found a flaw in the PDF-tracking features of its Adobe Reader and D-Link found flaws – and then patched them – in its IP camera firmware that could allow an IP video stream to be spied upon. And, on a similar note, an online monitoring scheme to boost law enforcement visibility could also offer new powers to state-sponsored hackers, experts warn.
They may not necessarily need them – at least not in China, where hackers seem to have already successfully pilfered large amounts of military and espionage data from US company QinetiQ during three years of persistent cyberattacks. The US Department of Labor and Army Corps reported successfully being hacked (and deny any risk), with such notifications reflecting an increasingly open environment of disclosure that could, reports suggest, become more commonplace if a proposed data breach notification law is introduced in Australia.
Microsoft is offering Webmasters of malware-flagged sites the chance for the sites to be re-evaluated, but a second detection of malware could extend the ban considerably. Improved malware-management capabilities are also being delivered with Splunk’s addition of statistical analysis to an enterprise security app, while observers were urging calm in the face of the first jailbreaking of the vaunted Google Glass wearable-computing technology.
Experts were offering advice about phishing, encryption as a security enabler, elements of a successful security awareness program, and 25 must-have technologies for small and medium businesses (SMBs), while – in the wake of an attack on Apache Web servers by ‘Cdorked’ malware – others were advising that corporate open-source projects are proving more difficult than many may expect.
Code vulnerabilities aside, many Web providers – such as Facebook, which has been experimenting with a new form of password recovery – have been fingered in an analysis of their relative commitments to online privacy. Twitter scored highly while Verizon and MySpace got zero out of six possible stars in a recent assessment. The willingness of online properties may become even more important as the FBI pushes to require Facebook, Google and others to build backdoors that would let them snoop on online communications in real time. It’s similar in concept to a bill in The Netherlands, which would give law-enforcement agencies a variety of hacking powers to support their investigations. And, yet, such access may prove superfluous, with figures suggesting a spy court approved all electronic wiretap requests it received in 2012.
As if potential intrusion from law enforcement agencies wasn’t enough to worry privacy advocates, many are concerned about malware versions of popular software masquerading as legitimate apps, as Mozilla found in launching a cease-and-desist action against a European company that had created a malware-laced version of Mozilla’s Firefox browser. Ditto content spoofing, which has been identified as a major Web site vulnerability. The problem of identity confirmation is so bad that Google is moving to only allow software loaded from its Google Play store, although it’s not clear just how much that will improve the situation.