CIO

The week in security: Spying toy banned as Yahoo learns the real cost of a data breach

Russia’s cybersecurity activities have been the stuff of rumour and innuendo recently, but the country is even apparently being scapegoated by malware authors who are inserting poorly-constructed Russian words as decoys.

There were concerns about the US government’s plan to collect foreigners’ social-media passwords as part of a cybersecurity policy climate that includes increased digital surveillance and encryption workarounds. Also of concern was a rash of phishing scams targeting the US Internal Revenue Service in the leadup to its April 15 tax filing deadline.

Ever wondered about the real cost of a data breach? Verizon lowered its purchase price for breach-struck acquire Yahoo by $US350m ($A455m) after the company was hit with two major data breaches in the last year.

Little wonder businesses are laying down their digital transformation agendas for 2017, with data classification offering important controls for CISOs to assert their credibility with their superiors. This, as figures suggested that young women still aren’t getting as excited about ICT as the industry needs them to be.

There were concerns about a rise in fraud as cybercriminals moved to focus on online lending transactions, while others were looking into ways to reduce fraud by using a novel biometric indicator. A bug in Cloudflare’s content optimisation systems exposed sensitive information sent by users, although this did not apparently include 1Password credentials.

Adding a new wrinkle to the Internet of Things (IoT) debate, Germany banned an interactive children’s toy as an illegal spy device. Hard drives’ LED lights were flagged as a potential conduit for exfiltrating data, while police arrested a man suspected of building a million-router botnet on a German ISP’s network.

Also causing problems were unauthorised devices strewn across the network of the US Department of Transportation – whose CIO launched a network overhaul after numerous unauthorised consumer devices were discovered. Healthcare firms were said to be planning increases in security spending, while transcripts of ransomware ‘customer support’ sessions revealed that the malware perpetrators have rather different ideas about how to provide tech support.

As new macOS ransomware was spotted in the wild, many were pushing for better security protections, with WhatsApp offering two-factor authentication and Cisco pushing next-generation firewalls for midsize installations. Google offered a new platform for secure cloud file-sharing, while car makers were looking for ways to ensure that cars can’t be hacked to take control from their drivers.

Developers noted that specially crafted Java and Python scripts can work their way through firewalls, while Microsoft delayed its February patches after releasing one critical Windows security update; Google wasn’t prepared to wait, releasing an unpatched IE vulnerability during the delay period.

Microsoft’s Edge browser was designed to stop malware from loading into memory, while Linux administrators were warned about the long-overdue patching of an 11-year-old root flaw in the platform’s kernel. Security advocates were pushing for replacement of SHA-1 after researchers demonstrated that it could be tricked.