The week in security: Warnings on open-source spinoffs, US-Europe privacy compromise

The average successful hack gains attackers less than $US15,000 ($A20,600), a recent Ponemon Institute study has found. Yet that may still be enough to lure attackers who are proving adept at navigating “confusing” industry messages on endpoint security, believes one security specialist who argues that the result is hampering companies' ability to shore up privileged-account security.

There is much shoring up to do: the latest SplashData survey suggested that the gaming world's worst passwords aren't changing much from year to year. Yet gamers are far from the only ones working to learn better security practice: one security consultant recounted his experiences teaching his elderly mother how to stay safe online.

Interestingly, even as humans struggle to learn about security, one security startup argues that its technology is a form of artificial intelligence that learns from humans. This, as Australian agricultural concern SunRice embarked on a major telecommunications and security upgrade that reflected its own security learnings and its plan to stay secure as it increasingly embraces the cloud – a task that is becoming increasingly challenging for users of Amazon Web Services and other commercial cloud giants.

Even as UK businesses were hit by a ransomware and DDoS surge and a new threat report highlighted the industries at the greatest risk of attack by government-sponsored Chinese hackers, many privacy advocates were expressing concern about the death of privacy, the United States and European powers reached an eleventh-hour compromise that will ensure data continues to flow between the two regions' very different privacy regimes; critics, however, have their reservations and flaws in the privacy protections of smart toys won't make anyone sleep easier.

A Harvard study shot down the argument that wider use of encryption software will impact criminal and terrorism investigations. This goes against conventional wisdom, which has security bodies advocating for the inclusion of backdoors in legitimate encryption tools – something that one US presidential hopeful believes should be negotiated in secret.

Yet sometimes backdoors are right out there even without government intervention: the Socat networking service managed to make its own backdoor, for example. Also on the bugs front, Google fixed five critical Android bugs in its February Nexus update and 13 bugs in its latest Android, even as reports suggested that more than 60 Android games were designed to download and execute malicious code hidden inside online images.

Dell outlined a plan to boost security in its PCs and tablets, while vendors like Netgear and Motorola were racing after vulnerabilities were found in some of their products.

The federal government warned Internet users to watch out for an email scam involving the Australian Federal Police, while security vendor Malwarebytes said it could take four weeks to fix flaws recently identified in its products by a Google security researcher.

Speaking of flaws, one security researcher warned that a custom version of Google's Chrome browser, developed by security vendor Comodo, has a major flaw. The revelation, which Comodo rushed to fix, led to a stern talking-to from Google.

Read more: Data protection starts with security, but disclosure remains key

A similar situation hit the Avast SafeZone browser, which was found to have its own vulnerability after incorporating the open-source Chromium browser. Fittingly, some exploit-kit developers found a new solution to this problem: detecting probing by security researchers and preventing them from discovering vulnerabilities in the first place.

Tags privacyPonemon InstituteCSO AustraliaThe week in securityprivileged-account securitysuccessful hackUS-Europe

Show Comments