The week in security: Google fights app malware, long-term PCI compliance plummets

Government requests for Facebook continued to grow in the second half of 2014, the company's latest transparency report has confirmed. And, speaking of transparency, some vendors were worried by findings by Verizon that 80 percent of PCI DSS-compliant firms fail to stay compliant in the year after their certifications – leading some to push the PCI Council to accept software-based encryption as well as the current hardware-based encryption it requires.

Such capabilities may become more frequent as Verizon talked up the role of managed security services in building out online security as it expanded its ANZ cloud capabilities. Customers will want to bring in the security and compliance big guns through cloud services as health records become particularly juicy targets for hackers.

Even as Pinterest turned on HTTPS for its Web site and kicked off a bug-finding campaign with crowd-debugging firm Bugcrowd, Yahoo published the source code for its email encryption plug-in for public review, and was working on an SMS-based method of killing the password – although not everyone was convinced the latter move would replace two-factor authentication.

The US government announced that it wants to add HTTPS to its public-facing Web sites within two years, while discussions about data retention included the point that the private sector could offer a lot to the conversation. Telstra is certainly getting involved, arguing that it still hasn't figured out how much data retention will cost as the importance of privileged account controls was raised during an industry panel session.

EU Parliamentarians were visiting the US to talk about the challenges of data protection and mass surveillance, even as a proposed US data breach notification bill was criticised for being too weak.

Legislation is only one part of the security puzzle, however: corporate culture is also essential, and some were noting that corporate cultures were holding back growth in the adoption of cyber insurance. Corporate culture – and a surplus of security standards to follow – was also causing problems in the boardroom as business leaders struggled to identify the best way forward. Many executives are so caught up fighting the big-name hacks that they don't even notice the surge in problems caused by internal users.

Analysis of the high-volume Premera and Anthem data breaches suggested the hacking methods used against the two were quite similar and were probably the result of espionage.

Meanwhile, researchers identified 13 new Android adware apps on the Google Play app store as others pointed out that hundreds of Android and iOS apps are still vulnerable to the FREAK security hole.

Little wonder the Google Play app review process has been enhanced by adding humans to the approval process – which was struggling repeatedly as a security firm found Google Play's new app checkers were being bypassed by aggressive adware apps.

Twitter was adding its own human touch, adding a tool that allows users to report offensive or threatening tweets to the police. Given that a survey found users hate the lack of privacy controls on the Internet, the threat of more rapid reporting may prove to be a deterrent to some antisocial behaviour by outside hackers.

Yet companies also love their privacy: Cisco Systems, it was revealed, sometimes ships customers' gear to unrelated addresses so as to stop the NSA from intercepting it and installing back doors. That's one small step towards security, although any gains Cisco made may be counterbalanced by the discovery that more than 700,000 ADSL routers given to customers by ISPs have serious flaws allowing them to be taken control of by remote hackers.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Tags Facebookverizonus governmentCisco SystemsGoogle PlayPinterestit vendorsCSO AustraliaANZ cloud capabilitiesEU Parliamentariansapp malwarePCI compliance plummets

Show Comments