The week in security: Apple-FBI encryption stoush dominates RSA; Aussie execs less hands-on than APAC peers
- 07 March, 2016 08:49
Encryption continued to dominate the news agenda as a report found it was hugely important as a compliance tool, even as Apple – testifying before Congress about the FBI's request for help to unlock a terrorist's iPhone – said complying with the order would be an “undue burden”. Lawmakers weighed the possibility of copying the target iPhone's memory to allow investigators to keep trying unlock codes until they hit the right one, while Apple reinforced the importance of encryption as a “necessary thing” as it stuck to its refusal to help the FBI create what some have labelled the security industry's first security 'front door'.
Lending weight to Apple's arguments, a New York judge struck down a previous order for Apple to extract data from an iPhone in a separate criminal case. The FBI-related case also became a little cloudier when the organisation's director admitted it was a mistake to ask San Bernadino County administrators to reset the password of the terrorist's iCloud account. And, in a similar case, Brazilian authorities arrested a Facebook executive after allegations that the company's WhatsApp had ignored a drug-related court order.
The escalating Apple-FBI dramas were a rich backdrop for conversations as executives speaking at the RSA Conference in the US weighed in on the debate and said that encryption backdoors were only useful against petty criminals. Top security researchers were united in their opposition to back doors, while the NSA asked technology giants to help it fight cybercrime and terrorism. A US Attorney General's office spokesperson said it was possible to stay safe even with back doors into encryption tools, while one well-known security researcher said – even as Apple formally appealed the iPhone unlocking order in question – that Apple chose the wrong case in which to make its stand against encryption backdoors.
Even as security duo Diffie & Hellman won the 2015 ACM A.M. Turing Award for their 1976 work introducing public-key encryption and digital signatures, a new security standard for encrypted voice and video, called Secure Chorus, was launched at the Mobile World Congress after intensive development efforts led by the UK's GHCQ. This standard should hopefully deliver better security than the TLS vulnerability that affects one in three HTTPS-capable Web servers and is, for some researchers, proof positive of why you shouldn't weaken encryption.
Also at RSA, there were also claims that widespread use of geolocation has killed privacy and that artificial intelligence will play an increasing role in security leadership. There were also discussions about the ability of application morphing to deliver endpoint security and concerns about the liability around Internet of Things (IoT) security, which took yet another hit as an analysis using new open-source testing tools found serious vulnerabilities in more than a dozen wireless routers and access points. On the same lines, Cisco issued a critical patch to remove hardcoded credentials from its Nexus switches.
A Telstra survey of Australian businesses found that Australian executives are less involved in security strategy than their counterparts in other APAC countries. This could create problems both in strategic terms and in the context of phishing attacks – specifically whaling, in which scammers employees into releasing information or financial transactions by masquerading as the boss via email. Most recently, some employees of Snapchat were tricked into sending confidential information to attackers who pretended in an email to be company CEO Evan Spiegel.
Highlighting the industry's ongoing efforts to bolster their security response, IBM bought Resilient Systems while Service-response provider ServiceNow launched a security response-management bundle based on its internal service technologies. Next-generation endpoint security tools were said to be ready to replace antivirus software but some security tools work better than others at stopping malicious outbound communications, according to new testing.
DDoS-blocking efforts at Akamai expanded its global network of DDoS 'scrubbing centres' by opening a new facility in Sydney, its seventh. Microsoft added a Windows 10 feature designed to bolster the platform's security, while Verizon expanded on its seminal Data Breach Investigation Report (DBIR) with a complementary Data Breach Digest outlining 18 real-world security breaches.
These bolstered capabilities came none too soon as new CTB-Locker ransomware hit over 100 websites and there were suspicions that high-profile hacking group Hacking Team had developed new Mac OS X surveillance malware. One group of researchers said malvertising software they were analysing had proved hard to pin down, although in an interesting twist it appeared that the crafty cybercriminal groups writing this type of code were running into their own issues finding enough security talent.