The week in security: Moving on Internet of Things security, lagging elsewhere
- 18 February, 2015 11:19
Malware authors are proving increasingly successful at seeding fake Google Chrome extensions on Facebook. Appropriate, then, that Facebook launched a platform called ThreatExchange in which users can share information about security threats with their friends.
Cloud-storage firm Box patched a bug in its Mac client application after it was found to be exposing sensitive data; citing similar concerns about Box rival Dropbox, the University of Liverpool began using a different file-sharing system in an attempt to rein in the exposure to Dropbox security concerns. Yet there was no way to patch another exposure of sensitive data, with a security researcher releasing 10 million usernames and passwords collected from data breaches over the last decade.
Yet that wasn't the worst of it: a group of students claim they had uncovered some 40,000 MongoDB instances running unprotected online – including one that they say contains 8 million customer records belonging to a French telecommunications company. Even US governor and presidential hopeful Jeb Bush was getting in on the action, with a mass email dump putting the personal information of his constituents online – and revealing a bunch of viruses in addition.
The acquisition of an Internet of Things (IoT) security specialist by chip maker ARM highlighted the industry's push to secure IoT from the get-go; ditto reports that increased shipments of biometric security components are suggesting increasing saturation of the technology in a range of devices. Concerns about smarter but insecure cars – made by manufacturers that some say are taking a “haphazard” approach to security – are also putting some people on edge.
Gartner agreed that IoT makers undervalue security. Fears are so high that a group of US senators is already pushing for privacy and security legislation around IoT. Not one, but two different bills have now been introduced to manage the IoT threat.
Yet IoT elements are far from the only devices getting scrutiny: there were claims that Samsung's smart TVs may be listening to personal conversations – quickly refuted by Samsung – as well as concerns that Advantech industrial controls were vulnerable to a remote code-execution vulnerability, and worries about the potential scope of healthcare data breaches as US states pushed recently-hacked healthcare insurer Anthem to quickly provide information about the hack to its customers.
Twitter reported that the volume of government data requests increased by 40 percent between the first half of 2014 and the second half. The EU Parliament blocked use of Microsoft's new Outlook applications because of what was termed “serious security issues”. Also on the attacks front, ransomware authors were streamlining their attacks as infections continued to rise.
The Australian government was tackling issues of its own with the tabling of legislation that would create a new Children's e-Safety Commissioner charged with policing potentially problematic online content. And, for its part, the US government was creating a cybersecurity agency designed to monitor online threats and fill in an information gap by sharing data about attacks amongst government departments.
Such proactivity is going to become increasingly common as state-sponsored attacks continue to rise – a new study found that China was behind the most state-sponsored attacks in 2014 but most were targeted at Vietnam, not the US. Even the Netherlands was feeling the pinch after a massive DDoS took its government sites offline for 10 hours.
This article is brought to you by Enex TestLab, content directors for CSO Australia.
Upcoming IT Security Events
March 3rd, March 5th, March 9th 2015
Join CSO for the day@#csoperspectives and hear from @kimzetter @LeviathanSec
3 International Keynote speakers, 36 Key IT Security Industry Speaker, 21 Exhibitors, Security Analysts and many more.. Register today
Dont miss one of the biggest IT Security events in ANZ (registration is free, but seats are limited)
