The week in security: DDoS rising in Australia, US warns on IoT security

Australia's information-security posture is weak by world standards, according to one of many recent vendor studies that found overseas CSOs rated the maturity of their security processes rather higher than those here. It can't help that more than one quarter of security budget is being wasted on software that sits unused, figuratively, on the shelf rather than being actively utilised.

Increasingly high-profile hacker group the Lizard Squad claimed another victim, hacking the servers of Malaysia Airlines and threatening to “dump some loot” it found there. This, as an increasing number of scams were being targeted at consumers, with the scammers impersonating US government tax authorities and the number of such reported cons increasing over 2300 percent during 2014.

Seems your private information is more at risk than ever – and this isn't helped by a growing volume of government requests for personal information. Reddit, for one, released its first transparency report and revealed that it turns over user information in 58 percent of government requests. Yet many of those people looking for private information may not even have to work that hard, with research suggesting that just three credit-card transactions can be enough to pick an individual out of a list of a million users' details.

Linux vendors were scrambling to respond to a newly discovered 'GHOST' bug that is remotely exploitable and was judged to pose a high risk to a number of Linux distributions. After further analysis, some security analysts said the bug was potentially serious and annoying to fix, but probably not catastrophic.

Adobe Systems was working hard to disseminate a fix for the latest zero-day in its Flash Player software, but was stymied by a rash of fake updates targeted at Facebook users.

This, as a study by a security vendor fingered Java as being the biggest vulnerability facing computers in the US (although one suspects the reported near-death of conventional virus scanning can't be helping either).

Little wonder that users are looking for tools to improve their privacy, although 20 million users of a dating Web site may have found their efforts at privacy are too little, too late after a hacker stole 20 million user credentials from the site. Other exposures are being discovered and discussed on a regular basis, with the US Federal Trade Commission (FTC) warning that Internet of Things vendors should make privacy a top priority as they design the emerging generation of connected devices.

Such devices are contributing to a growing volume of security alerts and management overhead, which is going to force organisations to get smarter about their security monitoring: one study found that a large percentage of security alerts are redundant and dealing with them is consuming resources that could otherwise be directed elsewhere.

One under-recognised ally in the fight against malware is DNS services, which are emerging as a new front-line defence against phishing sites, botnets, intrusive advertising and more.

Yet hackers are continuing to prove ever-resourceful, with a new kind of DDoS threat targeting name servers and surging use of reflection techniques increasing DDoS attack size at a dizzying pace. At the same time, a new survey of DDoS attacks during 2014 found that better broadband services were helping Australia become a perpetrator of DDoS attacks as well as a victim.

It was revealed that a flaw in the supposedly super-secure Blackphone rendered it far less secure than it was supposed to be, while Mozilla was gradually phasing out trust for SSL certificates issued using old 1024-bit RSA keys. Also on the encryption front, hackers were increasingly targeting high-value businesses by encrypting their Web sites.

Boffins at startup PFP Cybersecurity were looking at ways to detect malware by analysing changes in the performance of computing hardware, while revelations emerged that the US Drug Enforcement Administration has been tracking hundreds of millions of cars traversing the US.

Yet it's not the only government body participating in the surveillance state: there were suggestions of a link between keylogging malware linked to the NSA, and Regin espionage malware used to spy on individuals and organisations for years. Such activities have raised concerns about mass surveillance, which a European study has warned 'endangers fundamental human rights'.

That hasn't, however, stopped the Canadian government from actively monitoring millions of file-sharing downloads every day to identify political extremists.

European regulators were also under the pump after Germany's privacy overseer warned that the US and EU must complete guidelines about transferring data on EU citizens to the US soon. Privacy concerns were also looking to ground a proposed EU air passenger registry, while US legislators were getting stuck on old arguments as they discussed the way that data breach notification legislation might evolve. Sharing information about new cyber threats must, privacy advocates say, include strong privacy protections. Imagine that.

Tags privacyLinuxhackredditAdobe SystemsMalware and VulnerabilitiesGhostsecurity budgetsTransparency reportmalaysia airlinesLizard SquadDating website

Show Comments