The week in security: NSA pushes security rethink as world hit by Shellshock

Australia earned the dubious honour of being the country most targeted by phishers – and that's saying something given that it happened in a climate where the overall level of data breaches is continuing to rise. Even malvertising authors were upping their game, digitally signing new samples in an effort to bypass detection by antivirus scanners.

With executives getting smarter about IT security, the smarter malware seems to be driving many companies to defer new business initiatives as they focus more on security. Yet they may run into other problems down the track, as security skills are becoming harder to come by – in the public sector because budgets aren't stretching to match private-sector rates, and in general because while students indicate they are interested in cybersecurity careers their schools aren't giving them the right foundations.

That's troubling news for a sector that is seeing a growing number of encryption users – and the practice has earned the ire of government types as senior officials warned that widespread use of encryption could compromise investigations. Along similar lines, a former NSA director was calling for a new cybersecurity model to deal with increasingly sophisticated attackers. The FBI apparently agrees, and moved towards releasing its Malware Investigator tool to the public in a novel crowdsourcing push.

Even as attacks against the Shellshock vulnerability continued and an improved patch for the vulnerability emerged, researchers continued evaluating the potential attack surface of various systems and found that a typical voice over IP (VoIP) phone system could be compromised using the vulnerability.

Exploits began to appear even as NAS maker QNAP, Cisco, Oracle and other companies realised that dozens of their products were vulnerable, while payment providers were also concerned and researchers confirmed that VPN servers running OpenVPN might be exposed to Shellshock.

Other researchers were weighing the exposure of Mac OS X even as Apple released its own patch for the vulnerability and researchers suggested other forms of defence against the flaw.

Speaking of software vulnerabilities, Rackspace was warning customers about an impending reboot related to an effort to patch a flaw in Xen software that was made public by the Xen Project days later. IBM's SoftLayer cloud company was caught on the back foot, starting its remediation 15 hours after the bug was made public.

General Motors was also worried about software vulnerabilities, appointing its first head of cybersecurity to ensure that the overall security isn't compromised by the increasingly complex systems being put into cars. And Apple seems to have been forced to do its own debugging, of a sort, after the Chinese government demanded the company make some security tweaks to reported flaws before it finally cleared the iPhone 6 for sale in that country.

Facebook's moves to capitalise upon its collection of private information for advertising raised eyebrows in privacy-conscious Germany – part of a region that one security vendor says “ could be the most strict in the world” – while a Pakistani software executive has been indicted in the US for selling a product called StealthGenie that let users monitor communications on someone else's mobile phone. There was no indictment, however, of Chinese malware authors that one security company allege developed iOS malware for targeting at Hong Kong protesters.

Yet effective attacks don't necessarily have to be so tricky: use of simple tools can make hacks against industrial systems relatively simple, a recent security conference was told. With cloud computing adding other new attack vectors, it has perhaps never been more important for organisations to get their security stories straight.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Tags Enex TestLabcloud computingIT SecurityMac OS Xgermanynsadata breacheshackssecurity skillsChinese governmentCSO Australiadirectors for CSO AustraliaShellshockPakistani softwaresmarter malwaresecurity storiesIP (VoIP)

Show Comments