Tongues were wagging all week about the hack of infidelity-facilitating site Ashley Madison, whose customer database and profiles were stolen and threatened with release by hackers who were angry with the company's ineffective account-deletion policies. The hack looked set to demolish the company's dreams of a London IPO.
The hack sparked a broader discussion about the true effectiveness of data-deletion policies and IT companies' ability to protect personal information online. Some warned that many sites don't hide the fact that a particular user is registered with them, which got a further blow after a US judge ruled against Facebook's efforts to challenge the constitutionality of search warrants served on its users. Similarly, a French court ruled that new surveillance laws are constitutional.
Executive awareness of the need for IT risk management has surged in the past year, according to new Gartner figures. But one security expert was warning that businesses need to stop weighing the risk of cyberattacks to their business based on their company profile, since greater automation in the attack process means many hackers have no idea what company they're penetrating until they get through.
Interestingly, many IT security teams are already spending too much time and money fixing self-inflicted problems rather than fighting external threats, according to a survey of Black Hat conference attendees (little wonder, with new warnings suggesting non-technical users still don't understand data security). There is no lack of the latter, however, with a new bug in the OpenSSH library allowing attackers to bypass restrictions on the number of password retries allowed for incoming users. DDoS attacks pose another challenge, with the severity of such attacks surging in the latest Australian survey. Some companies even have to deal with accidental interference from their own government, as happened during a Belgian government phishing test.
Cyberespionage groups have been reaping the rewards of another high-profile hack, that of hacking group Hacking Team, whose cache of exploits has been carefully scrutinised and led to, among other things, Microsoft issuing an out-of-band update to patch a Windows zero-day affecting numerous versions of Windows – including the as-yet-unreleased Windows 10 (which, by the way, will be getting much quieter security updates than we're used to). One documented piece of Android malware was said to be able to hack 500m android devices. One former Hacking Team partner even stopped selling zero-day exploits on ethical grounds, but not everything about the Hacking Team leak was good news, however, as a South Korean intelligence officer who used the group's software was found dead in an apparent suicide.
Meanwhile, some were contemplating the true complexity of next-generation endpoint protection – particularly in the wake of the high-profile hack of a Jeep Cherokee that prompted a 1.4m-vehicle recall and drove the US Senate to propose a cybersecurity standard for cars. The UK is already tackling the issue, by the way – which is probably a good thing, since some warn that firewalls can't protect the cars and the hackers responsible for the Jeep hack say they could do the same thing to 'hundreds of thousands' of other vehicles.
Security-software firm Malwarebytes began blocking some file-torrent sites, citing security concerns, while the online advertising industry was kicking off a fresh effort to fight click fraud – even as Google found itself racing to stamp out a wave of Android apps that pretend to be games but secretly click on advertisements on pornographic Web sites.
Even as one local solutions provider praised the “incredibly innovative” efforts of ANZ government bodies in improving security, Microsoft was said to be paying $US320m ($A440m) to acquire cloud-security specialist firm Adallom in a move expected to reinforce the company's cloud-computing credentials. Google criticised proposed tighter controls on exporting intrusion software, arguing that it would compromise security research.
As has been common lately, Internet of Things (IoT) security was also in the news, with Blackberry buying IoT-security firm AtHoc even as an HP study said smartwatches could do better on data protection. Yet IoT security is, by reports, causing headaches for equipment makers who blame Apple's onerous security requirements for delays in releasing HomeKit-compatible security devices.
This article is brought to you by Enex TestLab, content directors for CSO Australia.