The week in security: CSOs want security-negligent CEOs jailed; Black Hat FUD returns
- 10 August, 2015 11:02
Australian CSOs blame CEOs and not users for problems in IT security, according to a new survey that also showed support for jailing executives whose failure to prioritise cybersecurity leads to a breach. Yet we need a broader approach to cybersecurity skills development all around to protect our economic future, Cisco Systems has argued in a response to the first-ever Australian Government Cyber Security Review. Skills deficits were even hitting high-level cybersecurity research organisations as companies continue to snap up anyone who can spell APT.
Even as telco T-Mobile was caught in an ad-injection war between two rivals and Yahoo was dealing with a large malvertising campaign on its network that had gone undetected for at least 6 days, several UK banks were hit with a DDoS attack. One former US government official was arguing that the situation has become bad enough that private companies should be certified to launch offensive strikes against cyber-attackers.
Either way, cleaning up the spoils of such cyber conflicts can take years to complete, one security expert warned. One Electronic Frontier Foundation effort is seeking to minimise the amount of data going into the mix by making a Do Not Track standard more meaningful than it currently is.
Some iOS users were encountering a tricky deceptive pop-up advising of an alleged crash report, while those considering an upgrade to the new Windows 10 were being warned about phony upgrade email offers and ransomware scams.
Meanwhile, the Black Hat hacker conference was gearing up as researchers and hackers alike prepared to scare us all with their new vulnerabilities and other discoveries. Among this conference's highlights were a way of infecting the firmware of Apple Macs even when they aren't connected to the network; a rogue Chinese VPN service that is actually commandeering users' computers] to join an APT botnet; a [[xref:http://www.cso.com.au/article/581152/black-hat-2015-ransomware-all-it-cracked-up/ on the dangers of ransomware; weaknesses in next-generation software defined networks (SDNs); a warning that Internet of Things (IoT) devices can be used to steal data (and, contemporaneously, the FDA's first official warning about the hacking of a medical device); ways to alter potentially life-saving messages on a satellite network; and a call for security researchers to fight for their right... to study. Security risks, that is.
Even as one well-known security developer warned that encryption is largely useless, attackers began exploiting a flaw in the widely used BIND software, while others were exploring the use of file-sharing services as a covert way of controlling hacked computers. Hackers were also looking at ways of using Internet route hijacking to get fraudulent HTTPS certificates, while one researcher said hackers were exploiting an OS X Yosemite vulnerability that is being used to plant adware on Macs and another called for calm about the seemingly virulent new Mac vulnerabilities.
As US authorities readied for a vote this week on the controversial CISA bill regarding cybersecurity threat information sharing – and then delayed that vote – the US Department of Homeland Security was warning about the privacy implications of the bill.
Yet even that legislation is nothing compared with actions by Chinese authorities to embed Internet police within the largest online firms in that country. Also on the geopolitical stage, tech industry lobbyists were objecting to a section in US legislation that would require reporting of terrorist activity. Ironically, former HP CEO Carly Fiorina – now a US presidential hopeful – was arguing that Apple and Google should provide better access to user information for law-enforcement efforts.
Tesla was patching its Model S and hired a new security head after hackers figured out how to take control of its vehicles, while reports suggested that high-level US administrators had been targeted by Russian hackers.
Google announced plans to increase the frequency of regular security fixes for its Android devices; ironically, hackers were said to be exploiting vulnerabilities in remote-support tools to hack those same devices. With such reports coming thick and fast on a regular basis, it's hard to accept some claims that Android vulnerabilities could be a blessing in disguise.