The week in security: War of security words

Australian techhead Mark Pesce made some waves after designing a way to send encrypted tweets using his CrypTweet applications. It's an interesting approach but the still-evolving platform has been slammed by observers as being at an early stage, and compromised by inherent characteristics of the Twitter platform.

Meanwhile, a spate of trust issues with certificate authorities (CAs) around the world has pushed Mozilla to give certificate authorities the chance to retain their inclusion within its products by expunging subordinate CA certificates used to intercept traffic on a private network. Also in the browser world, Google came out swinging against a Microsoft privacy protection feature that it says is inconsistent with modern Web-site features. The stoush arose after Microsoft accused Google of circumventing its privacy protections, but Google wasn't only on the giving end; the company copped a complaint to the US government from a consumer group that wants to halt its planned March 1 introduction of new privacy policies. Google has argued the new policy will have little impact on enterprises, but will they believe it?

Google isn't the only one changing privacy profiles: Key mobile app providers are set to introduce new privacy policies for all of their apps, although the changes will be just one step in a broader effort to mitigate the considerable risks inherent in mobile platforms. There are so many unknowns that Research in Motion was lobbying the Australian government to offer rebates for companies that work on revisiting and improving their internal security.

The US government is also aware of the risks, and is pushing for new privacy codes of conduct in a move that isn't [[xref: Meanwhile, Australia's Business Software Alliance has warned that Australia is second most-suitable in the world for cloud computing but that Europe's position is sliding because it's planning an overhaul of its data protection legislation.

Also, on the cloud front, one analyst said cloud security is not a quot;realquot; concern – although that seems an interesting assertion given that online defences are falling at a scary pace. For example, a team of researchers figured out how to defeat a video-based CAPTCHA antispam system called NuCaptcha. Another team of researchers has capitalised on the recent release of Symantec's pcAnywhere source code, releasing an attack that can crash the popular remote-access application.

Symantec was itself in the news after announcing it had discovered a new variant of the ZeuS botnet that no longer requires central command and control servers; this is a major architectural change because the lack of CC servers makes it harder for researchers to trace its activities back to a single source. That kind of correlation is essential for new services like Akamai's new DDoS detection service, Kona Site Defender, which offers businesses a new layer of protection against such attacks.

Speaking of policy violations, some were considering how to differentiate between plain old cybercrime and all-out cyberwar. It may sound like a case of semantics, but these sorts of things become important when the industry is considering issues such as the US Cybersecurity Act of 2012, which is being targeted by industry figures that want to slow down the government's rush to change the laws. The US Federal Communications Commission is also pushing a model that could have implications within Australia, urging ISPs to proactively notify customers when their systems are compromised.

That said, many users may not even know their systems are being compromised, with a new version of the Flashback Trojan for Mac OS X able to install the malware without requiring any user intervention at all. This is hardly good news for malware defences – and neither is the suggestion that time-tested techniques for quarantining malware for analysis are quot;brokenquot;.

With all this talk about malware nastiness, it's easy to forget that social engineering remains a major security threat. CSO offered a rogues' gallery of the worst social engineers, none of whose activities would have been picked up by a new threat-detection product from startup Click Security that bases its alerts on real-time analysis of intelligent sensors spread across a network. This sort of monitoring may help companies implementing formal governance, risk and compliance (GRC) platforms using the 12 tips CSO offered.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Copyright © 2012 IDG Communications, Inc.

What is security's role in digital transformation?