The week in security: The final count: hackers one, Australian Census zero

There was no bigger cybersecurity story over the past week than the disaster that was Census 2016, which was supposed to be a showcase of the goverment's digital ambitions but became a nationwide fiasco after the Census site was unavailable – brought down, reports suggested, by a series of DDoS attacks that led to a poorly handled response by the site's administrators. Confusion about early claims – that the Census was targeted by overseas hackers – became even more confusing when it was revealed that the supposedly intense DDoS attacks hadn't even registered on global sensors that continually track DDoS activity around the world. The growing forces of cybersecurity collaboration are already well documented – and reinforced by the likes of the US Department of Homeland Security's advice for securing businesses – but consumer authority the US Federal Trade Commission popped up in a surprising place to appeal to hackers to help them crack down on manufacturers and service providers with poor security. There is certainly no lack of candidates: many Bluetooth-driven door locks were found to be vulnerable to attack, as were millions of Volkswagens built over the past 20 years. And hundreds of millions of Android devices running Qualcomm chipsets were judged likely to be exposed to one of four critical vulnerabilities that allow them to be compromised. Without the latest patches from Google, your phone or tablet is likely to be completely rooted. Little wonder bug bounties have become big business, with a security firm beating Apple's bug bounty by offering up to $US500,000 ($A655,000) for iOS zero-day vulnerabilities. Security experts warned of a Linux flaw that could affect anyone that uses the Internet, while a survey of patching habits found that self-patching systems are successfully reducing vulnerabilities but that most applications are getting patched less frequently as a result. Research suggests complex layers of accountability are helping download providers turn a nice profit by sneaking adware into the downloads they offer. Adware remains only one of many potential problems for businesses, however, with a Cisco analysis warning that for even more malicious activity. Better control over identity remains a key recommendation from security experts about how to fix the problem, and investments in identity-related technologies will form a significant part of the $US82bn that Gartner believes will be spent on information security this year. Much of that spend, some advisors have recommended, can be well directed to building cloud security response protocols and confounding phishing attacks just enough so that online attackers move on to easier targets – like the Dota 2 forum, which was hacked in a compromise that has seen the leakage of 2 million user passwords. Likewise, social engineering is proving extremely productive for hackers; CISOs, as always, need to be vigilant in their protections. Apple used claims over security to fight Australian banks' efforts to collectively negotiate for access to the NFC chip in its iPhones, while as if fulfilling its prophecy rival Samsung both denied and admitted a mobile payment vulnerability that it said was rare enough that the risk was worthwhile. For its part, Bitcoin exchange Bitfinex took an unusual approach to risk management after it was hacked, reducing its account holders' balances by 36 percent to compensate for its losses. Meanwhile, Microsoft patched 27 security flaws in its core products even as security experts warned that Web Proxy Auto-Discovery Protocol (WPAD) – supported on Windows and other platforms – has serious security problems and should be disabled immediately.

Tags hackingAustralian GovernmentDDoS attacksUS Department of Homeland Securityweek in securityvunerablitiesAustralian census

Show Comments