The week in security: Apple security scrutinised; certifications to boost cloud appeal

Security pundits were poring over Apple's new Yosemite operating system, with some noting that the revised Spotlight service was sharing search terms by default; Apple responded by arguing that the Spotlight Suggestions feature was in fact not violating user privacy, even as other onlookers warned that Yosemite's version of TextEdit would upload unsaved TextEdit documents to the company's iCloud service.

Yet Apple did concede that there had been attacks on its iCloud service, after China allegedly moved to intercept customer information from the service and CEO Tim Cook met with a Chinese official to push the case for better user privacy.

Apple announced it would stop using SSL 3.0 for push notifications, while the growing awareness of its Apple Pay payment infrastructure raised questions about whether NFC spoofing techniques would work with Apple Pay. Some were optimistic about its potential to boost the usage of similar services on Android devices, while others were focused on helping users remain as secure as possible in the Apple Pay world.

With criminals trading 110 million stolen credentials in 2014, US president Barack Obama has mandated chip-based credit card security with an Executive Order, even as US office-supplies giant Staples confirmed it is the subject of a data-breach investigation. Security firm FireEye said that British and German government, energy, finance and telecoms organisations were the most popular European targets for hackers while Symantec reported a rise in high-volume DDoS attacks.

Akamai saw the size and volume of DDoS attacks setting records, while 'Backoff' malware was spreading and CryptoWall ransomware encrypted a US company's entire server installation.

Researchers were warning that network-attached storage (NAS) devices are filled with vulnerabilities, while a new commercial exploit kit called Fiesta was already taking advantage of a brand-new vulnerability in Adobe's Flash Player. Microsoft disclosed a zero-day flaw that hits most versions of the Windows operating system[[ – and published a quick fix for it – while new Android 'Koler' ransomware gained the ability to [[xref: and proceeded to spread across the US. A massive malvertising campaign was delivering ransomware to Yahoo, AOL and other popular sites.

Speaking of SMS spam, a group of text-message spamming companies agreed to pay $US9 million in penalties after a formal US government investigation. Europe launched its own fight against digital criminals as a new European Commission organisation was created to focus on regulation in the digital domain.

Google began allowing users to protect their accounts against password compromises by providing two-factor authentication to its Chrome browser based on USB keys. Identity, after all, is the key to security.

Even as one security executive warned that Australian businesses were “struggling” to keep up with the security risk from cloud and mobile environments, Some were arguing that better government regulation around cloud security would boost the use of software as a service (SaaS) models in healthcare environments.

Also aiming to bolster the use of cloud services in sensitive environments were vendors like CipherCloud and Senetas, which achieved new government certifications they hope will promote the secure use of new services by high-profile government organisations.

This article is brought to you by Enex TestLab, content directors for CSO Australia.