When I’ve started writing this series of blog posts recently I thought that I will have sufficient material for a weekly post. However, when looking consequently at the security news of various sources it becomes obvious that there are a few recurring topics:
Yes, sometimes there are interesting announcements from vendors. However, besides the new big data approaches of IBM and RSA Security I have covered before, there has not been great news this week, despite RSA Security Conference in the U.S. and the CeBIT fair in Germany starting today (which, by the way, still is the largest IT fair worldwide).
- New (and old) waves of attacks and new and old types of malware
- New exploits – the target of choice differs, the topic always remains the same
- Discussions about privacy
- Vendors with inappropriate security patch policies
Let’s have a quick look at the most important news.
Java as the new target of choice
It comes to no surprise that there are an increasing number of attacks using Java exploits. This includes some of the known exploits, but also some new ones. This also is not surprising given that hackers look for related weaknesses once a particular type of exploit has been identified. In consequence this means that Java updates have to be performed regularly and that the use of Java (especially within the browser) has to be carefully reconsidered.
Privacy vs. Freedom of Speech?
I read a fairly strange article on a lawsuit Google is facing in Spain these days. The article argues that the privacy debate over here in Europe is around “Privacy vs. Freedom of Speech”. In fact the argument raised therein is that Google is allowed to publish a link based on the Right for Freedom of Speech. Notably, this right exists in Europe as well, not only “Fair Speech” as the author assumes. And the idea behind Freedom of Speech in Europe is to protect the individual, not only the society – which is in stark contrast to what the author says. Maybe the difference is that Europeans do not tend to protect questionable business models and principles through one of the fundamental human rights. From my (European) perspective, the article is based on a fundamental misunderstanding and misconception of what is considered the European position. Notably, there is not the single European position but an intensive debate about these topics.
There is little change in the news around cyber-attacks. There are still masses of attacks and the discussion about who is behind these attacks is continuing. There is good reason to assume that some part of the attacks is state-sponsored, while others are caused by cyber criminals. At the end it is about accepting that there is a severe risk for any organization and any individual and that we need to protect ourselves in a more sophisticated way. In a Trend Micro press release I received yesterday, the author compared it with the “fork” in chess play where you create two threats at a time. The other player can’t defend against both at the same time (but he might threaten you in another way). The argument of the author has been that based on a fork, i.e. multiple defense layers, the attackers are always in danger of being detected. I’m not sure whether the fork is the best pattern in chess to compare with and whether this is not more the approach the attacker could take – but I liked this analogy.
The victim of the week has been Evernote – they reported that some data has been hacked and asked all of their users to reset passwords. Who will be next?