The week in security: Tech giants defend encryption; Smart TVs a security soft spot
- 12 January, 2016 09:18
With peak retail season settling down, many were weighing the damage that hackers had wrought in recent weeks. After Hyatt Hotels said its payment-processing systems had been hit by malware, others were warning that payment terminals were often affected by poor security decisions that enabled mass fraud by hackers. Authorities dismantled a gang of criminals that had stolen 200,000 euros from ATMs infected with malware, while online vandals were said to have set a DDoS record after pummeling the BBC Web site.
Even as China passed a law requiring technology companies to help the government decrypt content, tech giants met the FBI and NSA at a meeting with a secret agenda and were lobbying the UK government not to do the same – backdoors were all the news.
In the wake of Juniper Networks' backdoor security issues, Cisco Systems began proactively looking for undetected backdoors in its products. Microsoft banning the adware technique that lay at the heart of last year's Lenovo Superfish fiasco.
Apple was lobbying against the UK's proposed spying law, while Oracle facilitated the removal of insecure versions of its Java SE. And HP, also doing its part, announced it will integrate privacy filters – which stop snooping by people sitting next to a user – into its laptop and tablet screens.
Google has also been doing its part, with steps to improve security by using devices instead of passwords. An ex-banking executive was also looking to new forms of device security, talking up a new payment card called ScramCard, that has been designed with extra protection and has been capturing attention in many circles.
Also capturing attention was the Raspberry Pi mini-PC – although the attention in question is the kind you don't want, with malware authors apparently offering its makers money to infect customers' PCs. Such devices are increasingly pegged as soft spots in the security perimeter, with smart TVs also pegged as a key access channel for attackers and Android-based TVs proving particularly vulnerable. Even locks are going smart, as the likes of Danalock increased their pitch to the markets – although not every such solution was proving so secure, with vulnerabilities in Comcast's Xfinity Home Security offerings causing the system to report that a home's windows are closed and secured – even if they are neither. This could be less than ideal, particularly as Internet of Things (IoT) ecosystems build and more firms follow the lead of ADT, which extended its professional security-monitoring service to third-party components.
Adobe rushed a fix for yet another new flaw in its Flash Player, causing exploit acquisition firm Zerodium to offer a $100k bounty for someone that bypasses Flash Player's latest protections. Meanwhile, Google pushed out fixes for dangerous rooting vulnerabilities in its Android operating system and secure-phone developer Silent Circle was patching a vulnerability in its Blackphone.
Hacker groups were also keeping busy, with BlackEnergy upgrading its software with a destructive data-wiping component and a backdoored SSH server. The would-be creators of Linux ransomware were shown up by researchers that found a vulnerability in their approach, while free digital-certificate vendor Let's Encrypt was on the defensive after cybercriminals ran a malvertising campaign using its certificates.
Participate in CSO and Gigamon's survey on Security Priorities today!Go into the draw for a chance to win an Apple iWatch Sports or the equivalent of $500 Visa Cashcard.
For full terms and conditions click here.