The week in security: PRISM revelations show they really are watching you

Australia’s peak ISP body, the Internet Industry Association, kicked off a three-week review process after completing its review of its voluntary icode code of conduct, which coordinates the efforts of ISPs against malware and spam.

It could turn out to be well-timed, with McAfee reporting a surge in spam and suggesting malware was going back to the future as the presumed-dead Koobface social media worm made a resurgence.

Such trends highlighted the importance of effective mobile security, particularly as mobility turns already-common informal and formal bring your own device (BYOD) programs into unmanaged risk and executive-led cloud-services adoption forced CSOs to reconsider their security strategies.

Further clouding the landscape, security researchers suggest mobile antivirus products are all but useless. A survey of executives and IT staff found that laptops were seen as a bigger security risk than desktops and smartphones, suggesting a false sense of security that IT managers don’t necessarily share.

Even as numerous DDoS attacks attacked multiple domain-name providers and the volume of traffic had security experts rending their garments, the head of security at Akamai warned, noting that even the best DDoS protections can’t save CSOs from the need to manage internal security efforts (here’s some advice on how to do it). Another security expert suggested CSOs should consider the legendary battle portrayed in the movie ‘300’ when planning their network security defences.

Yet by far the biggest news of the week was the revelation that the US National Security Agency (NSA) had for years been running a surveillance system, called PRISM, that monitors a broad range of communications channels, putatively for signs of terrorist activity. Privacy groups were naturally up in arms while a conservative activist filed suit over the practice and US president Barack Obama said privacy compromises were necessary to protect the nation, while adding that “nobody is listening to your telephone calls”.

Amidst reports that the surveillance’s scope was “breathtaking” and that organisations including telecommunications carrier Verizon major Internet companies were involved, Google denied it was involved and others wondered why Twitter wasn’t involved. Skype and Kazaa founder Jaan Tallinn said it was hard to know who to believe.

Defending its actions, the government claimed it was authorised to collect information on non-US persons outside the US, and revelations suggested businesses faced serious legal consequences if they refused to comply with NSA directives. Privacy activists were empowered by the revelations , while others were releasing FAQs and penning how-to guides for avoiding PRISM’s glare. Yet even as the person who leaked PRISM’s existence – 29-year-old ex-NSA contractor Edward Snowden – stepped into the limelight, indications were that the story was likely to get bigger as revelations about its scope continued to emerge.

Almost as an afterthought, Maine inched closer to becoming the first US state to require a warrant for tracking mobile phone activity. A newly-introduced bill in the US aimed to block the issuance of US visas to cyberattackers sponsored by foreign governments. The EU was also looking across national boundaries with the demand that EU countries be able to sentence hackers to two years in prison no matter where they live.

Google outlawed facial recognition apps and pornography on Google Glass, while reporting that tests showed biometric passwords would introduce their own problems. Also introducing problems was a new Android Trojan app that exploits previously unknown flaws, while research found that many users were introducing their own flaws by remaining extremely tardy when it comes to patching their Java implementations.

One researcher believes the Bitcoin virtual currency would, despite assertions to the contrary, be terrible for money laundering; certainly, it’s hard to stay anonymous given that Bitcoin sales are all recorded to a public ledger. Either way, UK data breaches are getting more expensive – whether measured in bitcoin or UK pounds – as their average cost rose to £2 million per incident.

Tags malwarespaminternet industry association

Show Comments