The week in security: Hackers targeting cloud as vendors fund OpenSSL fixes

A study found that so-called 'zero-knowledge' security efforts may not be as secure as they're held up to be. This may prove particularly problematic given reports that cloud targets – a core market for zero-knowledge encryption – are in hackers' sights. Cloud adoption is also increasing the complexity of security-log centralisation and analytics efforts, forcing companies to develop robust strategies for security data management.

Amazon came under fire after a security vendor alleged Amazon had provided customers with an unpatched version of Windows. This reflects a growing trend for attacks on cloud infrastructure, with one vendor's figures suggesting attacks on cloud providers are on the rise. Yet cloud isn't the only target for baddies, with social-sharing site We Heart It forced to turn off its Twitter capabilities after it was mentioned in a large run of spam.

As some security managers deal with some unexpected problems with virtual machines affecting the business, CloudFlare jumped on the bug bounty bandwagon with a program to pay researchers to find bugs in its network. Yet other researchers were doing it for free: one researcher found that a supposedly patched router would still respond to a 'secret knock' after being patched poorly.

The latest instalment of Verizon's Data Breach Investigations Report (DBIR) dropped, warning that Web apps are the Internet's security punching bag and point-of-sale devices had become a leading hacker target during 2013. The report also made a case for behavioural analytics, found that espionage was becoming more common] than financial crime, and found that most data breaches [[xref: to nine specific attack 'patterns'.

Jailbroken iOS devices became another hacker target, copping the wrath of a malware campaign of unknown origins. AOL also copped the wrath of hackers, who launched a spoofing attack using old AOL email addresses.

Yet, even as Apple pushed out a range of fixes for its iOS operating system, figures suggested Android devices had leapfrogged iThings when it comes to mobile advertising traffic. Ironically, Android – which has been repeatedly slammed for its security because of bugs such as a Russian SMS Trojan that sends SMS messages to premium-rate numbers – was found to be protected from Heartbleed in some cases because of mistakes in the way OpenSSL was implemented.

Heartbleed may have motivated many vendors to join an effort to improve OpenSSL through a jointly funded initiative, but Apple wasn't naming the attack as it updated OS X even as researchers warned that the company's three-week delay in patching its OS X and iOS platforms was putting users at risk. Meanwhile, BlackBerry updated its mobile software to fix a Heartbleed-related flaw, while Mozilla said it would strengthen the verification of SSL certificates in Firefox.

Straight from the bringing-order-to-chaos department, proponents of the so-called 'dark web' were given access to a search engine providing hacking tools and services. Chinese equipment maker Huawei was also searching – in its case, for a refocusing of its public-relations efforts after becoming exhausted fighting claims its security has been compromised due to Chinese government links. The company is still selling products in the US and is redoubling its efforts to move past the controversy about its provenance.

Show Comments