The week in security: iPhone biometrics hacked, NSA intrusions tracked
- 30 September, 2013 10:04
A rise in the number of Internet Explorer attacks saw the Internet Storm Center raise its threat level to ‘yellow’. The attacks were linked to Bit9 hackers using Chinese infrastructure, according to security firm Symantec even as reports suggested IE vulnerabilities were being exploited more widely than previously thought.
Also on the browser front, Google was commended for getting rid of the Netscape-era NPAPI plug-in architecture, which had been aging poorly. After all, malicious browser extensions pose a serious and undetected threat, according to one security researcher. So, too, do graphics cards – yes, graphics cards – as researchers floated the possibility of malware being hidden in system firmware.
The ever-increasing profile of security threats drove business advisory firm Deloitte to launch a new Cyber Intelligence Centre designed to help companies track and response to cyber threats. It also drove security expert Rob Lee to take an unconventional approach to security by writing a picture book called SCADA and Me that has disarmed many with its simple approach to a complex concept.
New Zealand companies trying to avoid damage by relocating their data centres to safe zones is ‘futile’, according to one industry watcher. Yet it was Sudan that disappeared off the Internet, with reports suggesting the government had pulled the plug on the Internet there.
Schools’ use of cloud-storage documents is compromising students’ privacy, according to a campaign group that’s calling for greater awareness of the risks around such services in educational environments. A cloud vendor was petitioning IT departments – in schools and out of them – to become more careful about which services they block. Cloud-storage company Dropbox was also calling for greater awareness – of the number of government requests it receives for access to user information.
Yet it won’t be only government agencies asking for access to user information after a California law allowed minors to ask Facebook, Google, Twitter and other sites to remove or hide potentially compromising digital content. Such a law might appeal to the likes of former London deputy mayor Richard Barnes, who said that hacking was responsible for a series of nude self-portraits that appeared on his Facebook page.
Meanwhile, Australia is faring relatively well when it comes to being a target for phishing, exploit-kit penetration, and Bitcoin mining, according to a study from European security vendor F-Secure. But it appears to be an equal-opportunity victim of sneaky tactics by ad-injection services that are manipulating the search functions of Yahoo, Google and other search networks. Perhaps they need the help of ‘Viceroi’, a new algorithm that researchers say could improve the detection of click fraud.
Attacks on Apple’s new iPhone 5s fingerprint sensor continued, with a German group arguing that an old fingerprint-copying technique can bypass the security method using a simple method based on making a rubber duplicate of a fingerprint.
No wonder a proposed biometrics-based social-support card in India received a setback from the country’s Supreme Court. Also in international news, the Icefog spying operation was said to have been stealing data from organisations in South Korea, Japan and elsewhere over the past two years using hit and run APTs.
With the security of Apple’s fingerprint scanner being widely slammed in the security community – even though some still argue that it’s useful and relevant – others say encryption is still the best form of protection – despite reports that the US National Security Agency (NSA) has cracked widely used encryption algorithms. Confirming its lust for data, the NSA was approaching the private sector for access to more Americans’ communications, while an Obama Administration-led data-classification regime was looking set to overhaul the way the US government shares sensitive information.
The NSA’s intrusions are sending many companies overseas, according to reports, while two former US senators said the organisation needed to be reined in. Putting weight behind the words, a group of US legislators has banded together to introduce legislation to prohibit the bulk collection of Americans’ phone records. Nonetheless, European legislators were calling for reining in – of the US – after the NSA revelations convinced them the EU should reconsider its data-sharing deals with the US. Little wonder, after a US surveillance court gave the NSA free rein to collect as many telephone records as it wants to.
NSA paranoia has become so fevered that cloud company Egnyte has launched a ‘PRISM protection’ file-sharing appliance. Less secure was BlackBerry, which took on a defensive posture as its planned release of BlackBerry Messenger for iOS and Android devices was compromised after an unofficial Android version appeared. Also in the Google Play store, Google moved to pull an app claiming to allow connectivity with Apple’s iMessage service, all the while dealing with a French government sanction over privacy-law violations, and an instant-messenger bug that misrouted messages.
These sorts of problems and issues reflect the growing exposure of social media users and mobile phones, which were named as the top attack targets in an IBM X-Force analysis. Some efforts to improve this focus on the seven key characteristics of a secure mobile app, while others focus on the need to debunk four mobile security myths.
The X-Force report also suggested that the number of disclosed security vulnerabilities is expected to decline this year compared with last year. A security update to the Apache Struts security framework fixed two significant problems, while Twitter fixed a problem that had seen many users downloading an unexpected BitTorrent file when they clicked on a Twitter website button. Speaking of BitTorrent, the prison sentence handed to a co-founder of BitTorrent distribution site Pirate Bay was lowered to one year after an appeal.
Java continued its reign as the most widely exploited vulnerability this year, while Apple remains a tempting target for phishing scammers. But it was far from the only compromised target, with the Dropbox-owned Mailbox app fingered for allowing unwanted code execution and even city lighting systems under siege by spear phishing.
A new information-stealing malware called ‘Napolar’ was gaining traction in recent weeks, with hundreds of infection attempts detected every day. Hacks of three major data brokers were said to have weakened bank authentication, while Cisco Systems updates its IOS to fix 10 DoS-related vulnerabilities and Apple updated its iOS 7 with a new patch fixing its demonstrated lockscreen flaw.