The week in security: It's hack or be hacked as airplane rises, defences fall

Human expertise is becoming crucial to pick up the security chain where conventional antivirus solutions are dropping it, some argue as the overall online security threat increases and DDoS attacks get more sophisticated, by accounts. Yet even as Australia becomes the world's second most-attacked Web target and many companies perceive the value of security analytics in fighting DDoS and other attacks, the technology was the next to least actually-deployed security protection in one recent survey.

Far more common are virtual desktops, which are helping security-conscious government agencies, yet there were concerns about a different kind of desktop action as the FBI asserted that a cybsersecurity researcher had claimed he caused an airplane to climb after hacking its software. Some believe this suggests a role for hackers in testing public systems, while others are concerned that there are already too many vulnerabilities in routers and other common devices, and encouraging hackers to test them is a bridge too far. Yet many companies are looking for ways to give their security experts more opportunities to stretch their legs, with one Israeli company developing an on-premise version of a popular Web game, Game of Hacks, that [[xref:http://www.cso.com.au/article/575423/game-hacks-coming-white-labelled-version-after-strong-demand-from-security-challenged-businesses/ |proved to be hugely popular] as both a tutorial and a target for hackers.

Amidst reports that the volume of malicious adware more than doubled in 2014 – leading many to push advertisers to boost their security – the battle to keep ahead of cybercriminals was continuing in the face of “self-defeating” signature-based security, with companies like Vodafone introducing tighter identity management frameworks to bolster their overall security.

Indeed, many CSOs are working overtime to figure out next steps in the wake of another high-profile hack, this time of global coffee franchise Starbucks. Meanwhile, desperate ransomware victims are pleading with their attackers after being caught by their nasty code. Yet there are signs that such attacks are only going to become worse, with the Australian Crime Commission flagging in a major report that organised crime is increasingly turning to sophisticated online efforts to complement or replace conventional organised crimes. Little wonder, with the scale of attacks growing and US health insurer CareFirst admitting that 1.1 million people were affected in the cyberattack to which it recently fell victim.

Fresh on the heels of a vulnerability that lets attackers spoof the address shown in the Chrome address bar, Researchers were advising users not to type passwords into Android versions of Chrome until they've updated their browser or operating system. A new URL-spoofing bug in Safari was said to potentially enable phishing attacks, while other researchers developed a way to trick hackers by creating fake passwords to sit alongside the real ones in user databases. And no less than the US Federal Reserve was changing passwords after being hit by a DNS attack.

The controversial potential sale of data on millions of customers of failed US retailer Radio Shack had the US Federal Trade Commission weighing in to recommend conditions for any such sale and Radio Shack ultimately agreeing to some conditions. Dropbox was also tightening up its protection of personally identifiable information (PII), spruiking its compliance with the new ISO 27018 standard for PII security.

Apple and Google joined the voices of those pressuring US president Barack Obama to reject efforts to add encryption 'back doors' to mobile devices, even as questions were raised about the security of the Apple Watch and that popular device got its first security and feature update. And some in the US were proposing tighter export rulesfor computer security tools, raising the spectre of new limits to the distribution of powerful encryption technology. This, from a government that was reportedly planning to inject snooping malware into the Google Play Store and Samsung app store.

This article is brought to you by Enex TestLab, content directors for CSO Australia.