The week in security: If you must poke a bear, use a long stick

It's a lesson learnt all too painfully by all sorts of people in the past: don't cross a hacker or you never know what will happen. Sadly, the developers of the Ruby on Rails team learned this this hard way after a user, who had warned of a vulnerability in the project's code repository on GitHub, hacked into the site to make a point after the development team dismissed his notification.

Developers weren't the only target: according to Symantec, members of the notorious Anonymous hacker group were themselves hacked, although they're denying it ever happened. Claims the FBI had chopped off the head of LulzSec were met with an equally equivocal response although the . However, nobody's denying Websense reports that around 30,000 WordPress blogs were hacked by a gang intent on using them to distribute "rogue" antivirus software; indeed, reports suggest that the Android Market in particular is quot;riddledquot; with bogus security products.

In other reports, a targeted email attack is using the political showdown over Iran's nuclear crisis to trick people into opening Word documents that use a known Adobe Flash Player vulnerability to install malware. Reports suggested that the Armageddon DDoS botnet integrates a new exploit called Apache Killer, while Google was forced to cut the link between its Google IM network and AOL's AIM after noting a surge in spam between the networks.

There was – theoretically – some good news, with reports suggesting last year's hack of RSA's SecurID physical login tokens caused no damage at all. Nonetheless, a post-mortem of the RSA Security conference concluded that IT security is in a "precarious spot", and few would be well-placed to disagree as a string of security issues hit the headlines. One survey, for example, found that companies are overconfident about their security protections and wouldn't know a hack if it came up and bit them on the nose. Figures also suggested that a huge number of vulnerabilities are originating from compromised home systems.

Things are so bad that a US senator has asked that country's Federal Trade Commission to look into Apple and Google for allowing mobile apps to access users' photographs without explicitly asking permission first. This, on the heels of formal requests by a pair of US lawmakers who want to know whether the government is snooping on employee emails as a matter of common practice. Such moves suggest concern over privacy may lead to tighter regulations on telecoms providers, but a group of ISPs has told the US Congress it really shouldn't pass new cybersecurity rules affecting broadband and mobile security providers.

New security products sought to batten the hatches, with Vodafone offering its 'Secure SIM' for secure access to data networks and Vasco delivering new 'e-signature devices' designed to make online transactions more convenient. Kaspersky offered a new product designed to secure virtualised environments which, we are reminded, raise three key issues of their own. And it might not sound like ideal security, but German researchers are suggesting that a new password store offers stronger iPhone security by simply letting attackers in every time.

Speaking of new products: Google patched a serious Chrome vulnerability but suffered a significant hack after a security researcher successfully broke with tradition and hacked into the Chrome browser; thankfully for Google, the penetration occurred within the confines of the CanSecWest security conference and only costs the company a longstanding $60,000 prize it has offered to anyone who can demonstrate a Chrome hack (Microsoft's IE9 browser also fell victim). That's one way to ensure security; another is to hire a security gun like Facebook CSO Joe Sullivan.

CSO also had a chat with a security bod who believes rugged development principles can improve the coherence of corporate security practices. Yet these principles, like any security-related guidance, must be applied carefully: without correct application of security standards, the result can actually be poor business outcomes.

The government however, is hoping to enforce some standards on ethical hacking in a move that will improve visibility of security practices; also working to improve visibility was Lockheed Martin, which is opening a new software testing lab in Canberra where suppliers can test their various security solutions.

Copyright © 2012 IDG Communications, Inc.

The 10 most powerful cybersecurity companies