The week in security: Hackers plunder online databases as Trump nominee flags security boost
- 23 January, 2017 10:29
The inauguration of Donald Trump as US president led some to wonder whether a DDoS attack on Whitehouse.gov can be considered as a legitimate protest like any other. There was also buzz as outgoing president Obama’s pardon of secret leaker Chelsea Manning led to an offer by Julian Assange to face extradition to the US.
As if businesses didn’t already realise the need to rethink cybersecurity in the context of their digital-transformation efforts, ransomware attacks stole data from more than 3000 Elasticsearch clusters in just a few days. Attackers were also starting to wipe data from CouchDB and Hadoop databases.
Such ravages, combined with a growing threat surface, have led some experts to conclude that terrorists are winning the digital arms race – even as standards organisations regroup to bolster threat-information sharing.
Security practitioners should consider regularly snapshotting user activities to improve auditability and forensic analysis, some experts suggested, while a Trump nominee hinted at boosts in Internal Revenue Service cybersecurity staffing.
Researchers suggested a way to use your heartbeat as your password, although it wouldn’t be of much help protecting against a critical flaw allowed hackers to take control of Samsung SmartCam video cameras. Hundreds of Android apps were flagged for including sensitive access tokens and keys. And Apple moved to counter Fruitfly malware, an old strain that experts warned could have been used to spy on users for decades.
An analysis suggested attacks based on open-source vulnerabilities would rise by 20 percent this year. Oracle patched a range of vulnerabilities in business applications. This, as experts wondered whether antivirus is getting worse at detecting new threats.
A US court ruling suggested that workers had no recourse against employers that fail to protect their sensitive personal information. Yet security practitioners can certainly be fired, even if they fail to identify an intruder threat or have another type of security breach.
Also on the data-collection front, the CIA updated its rules relating to the collection and management of information about US people. There were questions about Microsoft’s ability to sue over indiscriminate US data requests.
Facebook paid a $US40,000 (A$54,600) reward to a researcher who pointed out that the company’s servers were vulnerable to a well-known exploit. This, as a Dutch developer was found to have stolen 20,000 passwords from web sites he built for business customers.