The week in security: NSA surveillance unjustified; Australian Privacy Act compliance lags
- 11 May, 2015 14:52
Companies are increasingly turning to threat intelligence to help shape their response to security attacks, which some have argued must become increasingly defensive as the nature of the threat changes over time.
Bendigo Adelaide Bank, for one, has accommodated that change by putting security top of mind in its boardroom – reflecting a need to incorporate the human element into security practice. Government agencies were also dealing with the human element, with new research suggesting that most government data security breaches are due to human error rather than forceful outside hackers.
The situation is different in healthcare, where criminal attacks surpassed accidental breaches for the first time. Policies are also an issue, with the OAIC recently finding that more than half of Australian organisations' privacy policies are inadequate. Making matters worse, nearly half of employees are inadequately trained around Privacy Act compliance.
Application controls have provided a good way of managing that change – particularly in managing the security of today's BYOD world – yet even tight controls aren't always perfect. Google was dealing with this as researchers tried to compromise an anti-phishing extension it had developed for use within its tightly controlled Chrome browser.
If you stayed at at the Hard Rock Hotel and Casino on your last holiday to Las Vegas, you may want to double-check your credit card statements: the hotel warned of a hack of its payment systems that may have affected customers over the last 8 months. And for its part, Sally Beauty Holdings warned that it may have suffered a second credit card breach.
Yet that wasn't the only deception going on: the US Department of Justice began looking into a secretive program that uses false mobile phone towers to surveil citizens. The CEO of security vendor Palo Alto Networks was warning that our cars were becoming a particularly problematic attack vector.
Also problematic are tools like Superfish, which injects ads into 1 in 25 Google page views, and the Rombertik malware, which destroys infected systems if detected during security checks. Indeed, even as mobile ransomware targets Canadian porn viewers, cybercriminals are also increasingly learning other tricks from advanced persistent threat (APT) techniques as they target point-of-sale vendors.
Dropbox shunted all of its non-US users to a new operational entity, Dropbox Ireland, in what is being seen as a nod to the EU's strict privacy laws. Internet legend Vinton Cerf was also weighing in on privacy, arguing for broader use of data encryption and railing against proposed encryption back doors promoted by the government.
French citizens may see less privacy rather than more, with lawmakers in that country inching toward allowing real-time Internet and mobile-phone surveillance. The US legal situation was rapidly changing, with an appeals court ruling that mobile phone users have “no reasonable expectation of privacy” for their location data.
Surprisingly, it was normally pro-privacy civil liberties groups opposing a recent bill that ended the NSA's mass-surveillance program – even as a judge tore apart the government's justification for the program and several members of Congress moved to stop warrantless surveillance of US residents.
Some estimates suggest that 95 percent of SAP environments are falling behind when it comes to securing their environments. Microsoft agrees that tighter security has become increasingly important, with a new and faster security-patch release cycle pushing constant updates and a stronger emphasis on security support designed to keep enterprise customers loyal. And, for its part, Netflix open-sourced an internally-developed security incident management tool that it believes has broader applicability to the community at large.
Apple's MacKeeper security tool celebrated its 5th birthday in ambivalent fashion, even as users become more savvy about securing their home networks.
Yet home networks weren't the only target causing problems: a manufacturer of industrial electronic locks has resorted to a copyright takedown notice to stop a security firm from publishing details about security flaws in its lock. Also suffering from potentially embarrassing security overanalyses were Internet of Things-styled embedded devices, which will be the subject of the DefCon hacking contest in August. Also boosting security were efforts to improve the security of public Wi-Fi services, which were positioned by some as being related to new enterprise-grade authentication standards.
Fortinet was pulling out the stops as its new managing director began executing on a strategy to kick-start the company's ANZ business, while Webroot was also ramping things up as its new Australia-based APAC regional managing director began his tenure with the company.
This article is brought to you by Enex TestLab, content directors for CSO Australia.
