The week in security: Is compromised Android the mobile world’s Windows?

Even as signs suggested the Chinese hacking gang credited with the attack on the New York Times Web site is on the move again and the New York Post hit by hacktivists, Trend Micro was warning of a new targeted attack called, ironically, ‘Safe’. A new compromise was identified on the Web site of the Central Tibetan Administration, while other new malware taps into a mobile ad network to make its money.

That approach is becoming more common, with Palo Alto Networks reporting on the mobile adware loophole and a Zscaler analysis finding that the problem has gotten so bad that one in five of the most popular Android apps is now a mobile security risk.

Confirming the growing Android threat, Trend Micro’s latest Security Roundup Report found that Android vulnerabilities were the biggest security concern, with Bitcoin applications being upgraded after a problem was identified in Android cryptography that could allow attackers to steal the virtual currency. And, according to an update from Kaspersky Lab, cybercriminals are using a Google application-messaging service to control the activity of their Android malware.

The problem is so bad that Android has become the mobile world’s equivalent of Windows, one study concludes. That’s not great news for consumers that love the idea of mobile security but aren’t quite ready yet to actually pay for it, according to reports. It’s even worse news because it can be assumed that some users will do the wrong thing no matter how much security training they receive, one security executive has warned.

Speaking of controlling activity, it turns out some gamers are using DDoS-on-demand services as weapons to inflict delays on their online rivals. Also having control issues was a baby-monitor maker whose product was hacked in a high-profile PR disaster. Less intentional was a problem at the University of Wolverhampton, which underwent a major firewall upgrade after problems with its network access control system were interrupting legitimate student users.

Government bodies were encouraged to develop customised defences to fight cyber attacks where antivirus software is now deemed to be inadequate: for example, some researchers authored code that can identify attack code even if it has changed its identity in an attempt to hide. Such approaches will be necessary if the forces of cybersecurity good are ever to keep up with new exploits, such as the one cybercriminals launched that capitalises on a recently patched Java vulnerability.

Meanwhile, organisations of all stripes were being encouraged to plan the isolation of Windows XP-based systems when support for the operating system is discontinued in April 2014, or face an endless series of zero-day attacks. It might also be time to weigh up cyber insurance, which is seeing a surge in interest as data breaches drive companies’ interest.

In a sign that the US government has taken the revelations of its National Security Agency (NSA) snooping seriously, the Obama administration has set up a surveillance review group to weigh the benefits of applying new technologies to future surveillance activities. The NSA was also said to be considering cutting system-administrator numbers by 90 percent.

Meanwhile, Oracle CEO Larry Ellison weighed in on the surveillance issue, arguing that some government surveillance is “essential” in fighting terror. Along the same lines, Google raised a stink by arguing that Gmail users can’t expect their data to be private, leading some to wonder if it’s not getting a bit too arrogant for its own good. Meanwhile, Australian Privacy Commissioner Timothy Pilgrim had a scathing review of Web site privacy policies that he concluded were far too complex.

Some security experts were arguing that the NSA controversy won’t drive customers away from public cloud services. Others were so concerned about the security of cloud data – which has been said to be so bad in PRISM’s wake that it could cost businesses their very existence – driving the likes of Kim Dotcom to consider new, secure email initiatives. Security consultancy Pure Hacking also weighed in on the lack of security, with a new service that traces stolen data into the netherworld of hacking forums and cyberspace dark alleys.

Joomla patched a file-manager vulnerability that’s been blamed for hijacked Web sites, while Microsoft patched critical Internet Explorer and Exchange Server flaws and offered optional security updates to block MD5 certificates and improve RDP authentication. IBM bought endpoint security company Trusteer, which will expand the computing giant’s new Security Division.

For its part, Google reported that it has paid out over $US2m for over 2000 security bug reports – suggesting the strength of the bug crowdsourcing model. Google is so happy about the results that it increased the rewards for the program, with the reward for bounties previously rated at $US1000, rising to $US5000.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Copyright © 2013 IDG Communications, Inc.

The 10 most powerful cybersecurity companies