The week in security: Are NSA’s fingerprints all over iPhone 5S, iOS 7?

What does it take to become a cyber-security legend? Opinions vary, but the CVs of five people being inducted into the National Cyber Security Hall of Fame might provide some valuable clues.

Apple’s iOS 7 may be inching towards legendary status itself, if early appraisals of its security mechanisms – deftly supported by the new iPhone 5S’s fingerprint scanner – are correct (here’s what you need to know about this significant advancement).

Yet while jailbreakers were cracking their knuckles to get down to business on iOS 7 and some were excited about the sensor’s potential to improve corporate access security, others warned that the iPhone 5S fingerprint scanner “is no silver bullet”, and still others were considering the implications of widespread sensor data collection.

Advanced persistent threat (APT)-focused security firm CrowdStrike raised $30m in funding, while Cisco Systems added a security arm to its services division and HP’s TippingPoint arm announced it would sponsor a mobile-only hacking contest with $US300,000 in prize money.

There were concerns about Google’s Chrome Apps app-delivery model, while one researcher was calling for less hatred for Windows 8’s allegedly-insecure, picture-based passwords. Get more concerned about the privacy protections around Google’s Street View service, which lost the Internet giant an appeal against a decision that its collection of unencrypted Wi-Fi data violates federal wiretap laws. This paved the way for Google users to claim for damagesover the practice.

In other situations, however, passive scanning can be quite important – for example, in containing the security risk of bring your own device (BYOD) programs. Another technique is using new sandboxing techniques such as those from Good Technology, whose eponymous mobile-security platform was certified to Defence Signals Directorate EAL4+ standards. The technique is gaining such popularity that French ministers have been told to install Android sandboxing tools if they want to use smartphones for work purposes. It’s a growing reality that government IT executives, such as the CIO of the US Bureau of Alcohol, Tobacco, Firearms and Explosives, are actively promoting.

Despite the appeal of mobility, however, corporate security managers will be concerned by reports that the BlackBerry Enterprise Server (BES) encryption has been cracked by the US National Security Agency (NSA) – which raised hackles within the EU government, where politicians called for suspension of a data-sharing agreement between the US and EU because of the NSA’s activities. The agency’s big-data efforts need more transparency, some privacy advocates argued, while a surveillance court has seemingly agreed after ordering a review of the transparency of its decisions. Meanwhile, others were pointing out rather important omissions in the recent Black Hat presentation of NSA chief Gen. Keith Alexander.

There’s no telling how the NSA will go with the secure encryption key-management cloud service announced by KeyNexus – although rumours about the NSA’s dealings with many vendors suggest the agency is pressuring vendors to add hidden backdoors in their products. Such rumours even led the National Institute of Standards and Technology (NIST) to deny that the NSA had interfered with its processes of vetting and choosing encryption algorithms. The meme was so strong that US officials came out arguing that the government isn’t “knowingly” weakening encryption.

Indeed, in the UK the government is actively encouraging it, having launched a code-breaking challenge by which it’s vetting potential new recruits. Also apparently recruiting was North Korea’s cyber-security arm, which has been blamed for cyberattacks on a range of South Korean institutions using what is being termed a ‘clunky’ Trojan-based attack.

Also targeted for attack was Vodafone Germany, which was infiltrated by hackers who stole data on two million customers in a move that is being blamed on insiders. Warnings about medical identity theft raised the spectre of yet another security issue.

Fake job ads from UK retailer Harrods were used in a phishing attack, while Westpac was also targeted by Net nasties in a move that had the bank warning users to ignore an email scam asking them to confirm their credit card details. Santander Bank was targeted in an attempt to add a rogue hardware device to the company’s network, while security researchers warned that an email spam campaign was mirroring popular Windows techniques on the Android mobile platform.

Also learning from Windows is a programmer who exploited a Windows vulnerability in public clouds to access supposedly-secure volumes on commercial services like Amazon Web Services. Of course, sometimes the cloud does the peeking itself, as suggested by new revelations about Dropbox. Also building on popular techniques are gamers, according to reports, who are exploiting inherently chatty online-gaming APIs to flood unsuspecting targets with amplified DDoS attacks.

Also sure to feature high on the security circuit – hopefully for the right reasons – is the new data hub for the US ‘Obamacare’ federal healthcare program, which was declared to be secure and ready for use – at least, until some lawmakers raised their concerns about the security of the platform.

With so many attacks around, it might be useful for them to consider an IT security rating system being offered by startup BitSight Technologies. Who knows? It might be one of the many security startups that are attracting increasing attention from venture capitalists.

Meanwhile, a new Web browser called Epic Privacy Browser bowed, with a high degree of anonymity for Web surfers. Adobe issued critical security updates for Flash Player, Reader and Shockwave Player. Apple issued the final non-security update for OS X Mountain Lion, OS X 10.8.5. Poor PHP design was being blamed for hacker attacks on a range Web sites, while Oracle added whitelisting capabilities to Java in a move that should improve corporate security by allowing highly granular controls over acceptable applets.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about Adobe SystemsAmazon Web ServicesAmazon Web ServicesAppleAPTBlackBerryCiscoCiscoDropboxEUGood TechnologyGoogleHPNational Security AgencyNSAOracleTechnologyTippingPointTippingPointVodafoneWestpacWestpac

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Brand Page

Stories by David Braue

Latest Videos

More videos

Blog Posts