The week in security: Apple security scrutinised as mobile, IoT threats loom
- 02 October, 2014 13:05
The role of government in cybersecurity defences continues to morph, but there were interesting revelations that GCHQ employs 120 dyslexic and dyspraxic analysts to help in its fight against terrorism, while British PM David Cameron appointed a special envoy in charge of intelligence and law-enforcement data sharing. Interestingly, however, even as scrutiny of data sharing increases, Yahoo! reported that government requests for data had dropped overall, while one Australian cybersecurity expert said businesses and governments were increasingly seeking a collaborative approach to bolster overall cybersecurity profiles.
Given all the furore over data-sharing legislation in Australia and elsewhere, it may come as a surprise to many that the majority of Australians believe data retention is acceptable as long as access to the retained data is tightly controlled. But there, as they say in the classics, is the rub: those responsible for information security are turning to established governance platforms such as COBIT 5 to ensure they can provide that tight control. Others were turning to events such as CSO's third and final CSO Perspectives roadshow, held in Sydney to strong turnout for an interesting and varied program.
Cloud-computing platforms are contributing to the problem as much as the solution, some warn, but a new survey showed that Australian businesses use cloud services even though they fear their security – or lack thereof. Mobiles aren't helping much either: security researchers discovered [[xref:http://www.cso.com.au/article/555594/google-play-apps-millions-installs-share-stock-android-browser-flaw/ contain the same vulnerability that recently led them to recommend users avoid the stock Android browser.
This might not help the spirits of those who think we are on the cusp of putting a dent in the flood of data breaches, but it puts Android in the same boat as users of the iPhone 6 – which, some warn, is .
Even as some people turn to the Tor anonymous browsing tool to anonymise their browsing habits, secure smartphone project Blackphone was offering a $US128 ($A146) bounty for security flaws detected in its code and reported to the project (the director of the FBI seems to consider the entire phone a problem with reports that encrypted smartphones had been flagged as a serious concern).
Meanwhile, some users were testing the limits of the privacy features of Apple's new iOS 8 operating system. Data recovery from iOS devices is also improving, according to some data-recovery specialists. Others were weighing up the security of the iPhone 6 fingerprint scanner as a mechanism for controlling access to the Apple Pay payments system – some found it severely wanting – while considering Apple's success in outsmarting potential attackers and thieves.
Others were more focused on Apple's success – or lack thereof – in updating its newly released iOS 8 mobile operating system, which ran into troubles after the 8.0.1 update was found to be causing major problems for users. As if Apple needed another security headache to deal with, a new vulnerability in Mac OS X and Linux called Shellshock was said to be “bigger than Heartbleed”.
Apple played down the threat but security administrators were sent scurrying to weigh up its implications, with some security experts offering advice and others warning that hackers were testing out the new techniques as they prepared to mount a larger offensive.
Some researchers claimed they had figured out a great way to outsmart malware by sifting through Web sites for just two common giveaways, while Russian police found a better way to combat malware by arresting two people suspected of running an Android campaign that was funnelling funds to them. The success of such mobile campaigns is worrying, but with smartphones and tablets being wiped at a rate of one every three minutes, according to figures from Fiberlink, it's not hard to figure out why they're so successful.
DDoS attackers had turned their attention to gaming hosts, ISPs and large enterprises, according to new figures from Chinese vendor NSFOCUS. Other DDoS monitors were warning that network operators needed to get more proactive in helping the fight against DDoS attacks.
Cisco tapped into its Sourcefire acquisition to build intrusion protection and other security features into its 5500 series firewalls, even as McAfee overhauled its antivirus and security software suites.
Yet such protections may be at risk of becoming mundane as the new Spike malware kit works to target new Internet-connected routers, smart thermostats, smart dryers and other Internet of Things (IoT) elements – creating new headaches in the form of massive botnets made up of common household appliances.
This article is brought to you by Enex TestLab, content directors for CSO Australia.
