The week in security: Apple patches iOS 0-day, new attack decrypts HTTPS

The Australian government has had a mixed bag of outcomes this year around cybersecurity, with many lauding its leadership in the area – which is helping CISOs tighten the screws on virtualisation-enabled DevOps staff – while others warned that government encouragement around threat-intelligence sharing needed to get some teeth as signs suggested billions spent on cybersecurity weren't really making us that much safer and that data security is still an unsolved problem.

Also not making us safer are Facebook, Google and Twitter, said some UK MPs, while others said businesses would get more benefits by tightening access privileges to restrict access to information – particularly for departing employees, many of whom have shown a predilection for taking company intellectual property as part of their severance package.

Yet even when they don't steal data, security staff are still keeping busy figuring out the best way to get new jobs. This tied in with ongoing warnings about managing deficiencies in the so-called human firewall, which were bolstered by warnings about 'Sweet32' attacks that can decrypt HTTPS sessions even without the encryption key.

That's likely to create new burdens for companies figuring out not only how to avoid being hacked, but what to do when they are. A Gartner security event brought warnings about the state of data security and the dizzying influx of issues created by a flood of smart devices. Cisco was patching its firewall devices against a flaw discovered in the recent NSA hack – highlighting the importance of choosing and managing vendors carefully.

There were warnings about ransomware disguised as voicemail notifications, while the New York Times said its Moscow bureau was hit with a cyberattack. A new Linux Trojan was found to be scanning content management systems as reconnaissance for building botnets, while some warned that hackers of the NSA had likely missed out on a massive financial windfall by leaking rather than selling the exploits they found.

Following in the vein of Tor, cybersecurity contractors debuted a new anonymising service called IDVector, creating a new headache for law-enforcement authorities – which, reports suggested, are already big fans of the same encryption technologies that are causing them so many problems in investigating crimes.

Meanwhile, US Republicans subpoenaed three tech firms that had declined to hand over information related to Hillary Clinton's private email server, while that country's government was under fire for plans to collect social-media information from visitors to the country. Even as security experts said the hack of an Epic Games forum was a reminder of the need to install security patches, while hackers leveraged a vulnerability in vBulletin software to break into 27 million more accounts.

And, in a small win on the good guys' side, security firm CrowdStrike became an official contributor to Google's Virus Total malware database. Apple moved quickly to patch iOS against a zero-day spyware attack, while Dropbox imposed a blanket password reset on users who signed up before mid-2012.

HP Enterprise suffered a confidence blow after the CIO of NASA refused to sign off on an authority for the company to continue operating the agency's systems after the expiration of a $US2.5b systems-security contract awarded in 2011.

There were warnings that application-layer DDoS attacks are on the rise, the discovery of an Android botnet that relies on Twitter for its instructions, and the revelation that hacked adultery site Ashley Madison had been misleading users by presenting a security award that was completely made up. Privacy bodies in Australia and Canada were unimpressed, to say the least.

Tags GartnerGoogleFacebookAppleLinuxtwitterNASAtrojanAustralian Government Cyber Security StrategyHTTPSUK MPs

Show Comments