The week in security: Analytics show promise as Android's StageFright continues and everything proves hackable
- 17 August, 2015 10:12
If you're worried about security vulnerabilities, you're not alone: five critical areas of security have researchers worried. One of them is the security of the Android mobile operating system, which was in the spotlight as IBM located another Android bug and a zero-day flaw in Google's Admin app allowed malicious apps to read its files. Google's first attempt to patch the high-profile StageFright bug was unsuccessful and the company said it would be November before a complete fix to the bug would be delivered.
Some observers were worrying about the implications of the flaws in enterprise contexts. Never mind findings that mobile apps in developing countries often have weak security. Microsoft issued the first security patches for its new Windows 10, while security vendor Sophos was among numerous companies revamping their ANZ channels to strengthen the delivery of next-generation security solutions.
BlackBerry, meanwhile, was denying that its embedded OS was the reason hackers were recently able to break into a Jeep Cherokee and take over its systems. This, as another exploit showed how a suitably equipped Corvette could be stopped with a simple text message – and a fix was quickly promised.
Indeed, with the Black Hat hacker conference providing ample new exploits it was arguably a scary time for those concerned about IT security. Reports suggested computers' internal 3G/4G modems can be hacked to allow malware to incubate through an OS reinstall, while Cisco was warning that its networking gear can be poisoned with rogue firmware updates. Concerns about the potential for even electric skateboards to be hacked had some arguing that properly securing the IoT and other infrastructure was going to require a concerted government intervention.
That may be a worry for those who argue the government already intervenes enough. Yet, despite a Japanese invention [that [xref:http://www.cso.com.au/article/581685/how-japan-privacy-visor-fools-face-recognition-cameras/ |foils face-recognition security cameras]], not every government is out to follow your every move: the Australian government is relatively conservative by world standards in requesting data on Twitter users, the company's latest transparency report revealed.
Even as a hotel-focused spying group called Darkhotel has re-emerged with a range of new capabilities gleaned from the Hacking Team leak, a startup company was promising a way to identify malicious wireless devices.
Meanwhile, some were celebrating the apparent end of the long-running Asprox botnet, while the Queensland University of Technology was applying analytics to its security environment to bolster the visibility of its mass of operational events. Similarly, a new IP address blacklist was being built based on Web chatter on both the normal and dark Webs. The benefits of Web trawling, empowered by big-data analytics techniques, are proving so significant that one researcher was contending its benefits far outweigh its downsides and others believe that it's time that threat intelligence grew up.
Oracle was on the back foot with the security community in the wake of blog posts criticising customers for using third-party security vendors and for reverse-engineering its code to find and report vulnerabilities. The debacle had security researchers' tongues wagging and some wondering whether Oracle was making SAP's security look positively sterling by comparison.
Even as the US Department of Justice was calling for a balance to encryption policies that also addresses law-enforcement agencies' needs, the UK government was considering whether academic researchers would benefit from a special license allowing them to work around newly imposed controls on encryption exports.
Finally, MacKeeper customers can get their money back in the wake of a successful class-action suit. And Lenovo's security reputation took another hit as another security issue was found in its preloaded software.
Want to know more?
Why not become a CSO member and subscribe to CSO's mailing list.
Get newsletters, updates, events and more right here
