The week in security: Australian Red Cross bleeds private data; DDoS-IoT link prompts high-level concern

A local pitchfest brought together Australian security innovators and some very interesting ideas that reflect the future of Australian infosec. Speakers highlighted the need for curiosity and diversity. Along similar lines, one of Australia’s newest certified cybersecurity experts warned that the security community needs to undergo significant cultural change.

That’s hardly news to the Australian Red Cross, which suffered an egregious data breach that saw the personal data of 550,000 blood donors leaked. The breach – which came amidst warnings that healthcare data is under siege and being offered to the highest bidder en masse – reinforced the importance of having a data-breach preparedness plan and highlighted the vulnerability of small businesses that are, according to new figures, being breached at dizzying pace.

Blockchain technology has earned the enthusiasm of many in the business world but the technology needs rock-solid account-management capabilities to avoid crafty compromises, one expert was warning. Others were concerned about the implications of the recent massive IoT-driven DDoS attack that was directed against DNS service provider Dyn, which was overwhelmed by the incident and saw much of the US Internet compromised for a time.

That attack highlighted the dangers of IoT ‘ running rampant’ as the numbers of insecure devices continues to increase. US legislators were all over that one – even as security researchers argued that Russia was not behind the attack, suggesting instead that it may have been pulled off by a script kiddie targeting PlayStation Network and leveraging the newly open-sourced Mirai foundation for building IoT botnets.

This, as Russian criminals’ bank attacks were going global and DDoS perpetrators moved on to targets like Singaporean ISP StarHub as they adopted new tactics like exploiting exposed LDAP directory-services servers to amplify their attacks. And Mirai showed that it had a long shelf life after being spotted harassing targets in short bursts.

Also on the connected-devices front, a flaw in a Schneider Electric PLC simulator was found to be exposing workstations to hacking and remote takeover. One security pundit was arguing that simplification was crucial to avoiding this sort of infosec problem.

Speaking of takeover: with malls going into full-spruiking mode for the Christmas shopping season, there were warnings about the dangers of flash mobs and Adobe was busy patching Flash before its users were mobbed with attacks leveraging a new zero-day exploit. Microsoft, meanwhile, added a macro blocker to Office 2013 to prevent old-school macro attacks, even as a new method of code injection promised to facilitate a way around Windows’ malware detection.

Just as concerns were raised that drones can be hijacked using a popular wireless technology, US lawmakers were also frustrated about the lack of concrete security standards in new guidelines about improving motor-vehicle cybersecurity and pushed for industry-led standards for IoT devices. There were also warnings that customers of ride-sharing service Lyft face account compromise from recycled phone numbers.

Tags infosecatlassiandata leakvulnerabilityDDoS attacksAustralian Red CrossIoTdata-breachCSO Australiaprivate dataBlockchain technologyDDoS-IoTpitchfestcybersecurity experts

Show Comments